No OneTemporary
Actions

Size

63 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/conf/default.conf.php b/conf/default.conf.php
	index 4c44ce01cd..9c973f6f13 100644
	--- a/conf/default.conf.php
	+++ b/conf/default.conf.php
	@@ -1,714 +1,725 @@
	<?php

	/*
	* Copyright 2011 Facebook, Inc.
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	return array(

	// The root URI which Phabricator is installed on.
	// Example: "http://phabricator.example.com/"
	'phabricator.base-uri' => null,

	// If you have multiple environments, provide the production environment URI
	// here so that emails, etc., generated in development/sandbox environments
	// contain the right links.
	'phabricator.production-uri' => null,

	// Setting this to 'true' will invoke a special setup mode which helps guide
	// you through setting up Phabricator.
	'phabricator.setup' => false,

	// The default PHID for users who haven't uploaded a profile image. It should
	// be 50x50px.
	'user.default-profile-image-phid' => 'PHID-FILE-4d61229816cfe6f2b2a3',

	// -- IMPORTANT! Security! -------------------------------------------------- //

	// IMPORTANT: By default, Phabricator serves files from the same domain the
	// application lives on. This is convenient but not secure: it creates
	// a vulnerability where an external attacker can:
	//
	// - Convince a privileged user to upload a file which appears to be an
	// image or some other inoccuous type of file (the file is actually both
	// a JAR and an image); and
	// - convince the user to give them the URI for the image; and
	// - convince the user to click a link to a site which embeds the "image"
	// using an <applet /> tag. This steals the user's credentials.
	//
	// If the attacker is internal, they can execute the first two steps
	// themselves and need only convince another user to click a link in order to
	// steal their credentials.
	//
	// To avoid this, you should configure a second domain in the same way you
	// have the primary domain configured (e.g., point it at the same machine and
	// set up the same vhost rules) and provide it here. For instance, if your
	// primary install is on "http://www.phabricator-example.com/", you could
	// configure "http://www.phabricator-files.com/" and specify the entire
	// domain (with protocol) here. This will enforce that viewable files are
	// served only from the alternate domain. Ideally, you should use a completely
	// separate domain name rather than just a different subdomain.
	//
	// It is STRONGLY RECOMMENDED that you configure this. Phabricator makes this
	// attack difficult, but it is viable unless you isolate the file domain.
	'security.alternate-file-domain' => null,

	// -- DarkConsole ----------------------------------------------------------- //

	// DarkConsole is a administrative debugging/profiling tool built into
	// Phabricator. You can leave it disabled unless you're developing against
	// Phabricator.

	// Determines whether or not DarkConsole is available. DarkConsole exposes
	// some data like queries and stack traces, so you should be careful about
	// turning it on in production (although users can not normally see it, even
	// if the deployment configuration enables it).
	'darkconsole.enabled' => false,

	// Always enable DarkConsole, even for logged out users. This potentially
	// exposes sensitive information to users, so make sure untrusted users can
	// not access an install running in this mode. You should definitely leave
	// this off in production. It is only really useful for using DarkConsole
	// utilties to debug or profile logged-out pages. You must set
	// 'darkconsole.enabled' to use this option.
	'darkconsole.always-on' => false,


	// Allows you to mask certain configuration values from appearing in the
	// "Config" tab of DarkConsole.
	'darkconsole.config-mask' => array(
	'mysql.pass',
	'amazon-ses.secret-key',
	'recaptcha.private-key',
	'phabricator.csrf-key',
	'facebook.application-secret',
	'github.application-secret',
	),


	// -- MySQL --------------------------------------------------------------- //

	// The username to use when connecting to MySQL.
	'mysql.user' => 'root',

	// The password to use when connecting to MySQL.
	'mysql.pass' => '',

	// The MySQL server to connect to. If you want to connect to a different
	// port than the default (which is 3306), specify it in the hostname
	// (e.g., db.example.com:1234).
	'mysql.host' => 'localhost',


	// -- Email ----------------------------------------------------------------- //

	// Some Phabricator tools send email notifications, e.g. when Differential
	// revisions are updated or Maniphest tasks are changed. These options allow
	// you to configure how email is delivered.

	// You can test your mail setup by going to "MetaMTA" in the web interface,
	// clicking "Send New Message", and then composing a message.

	// Default address to send mail "From".
	'metamta.default-address' => 'noreply@example.com',

	// Domain used to generate Message-IDs.
	'metamta.domain' => 'example.com',

	// When a user takes an action which generates an email notification (like
	// commenting on a Differential revision), Phabricator can either send that
	// mail "From" the user's email address (like "alincoln@logcabin.com") or
	// "From" the 'metamta.default-address' address. The user experience is
	// generally better if Phabricator uses the user's real address as the "From"
	// since the messages are easier to organize when they appear in mail clients,
	// but this will only work if the server is authorized to send email on behalf
	// of the "From" domain. Practically, this means:
	// - If you are doing an install for Example Corp and all the users will
	// have corporate @corp.example.com addresses and any hosts Phabricator
	// is running on are authorized to send email from corp.example.com,
	// you can enable this to make the user experience a little better.
	// - If you are doing an install for an open source project and your
	// users will be registering via Facebook and using personal email
	// addresses, you MUST NOT enable this or virtually all of your outgoing
	// email will vanish into SFP blackholes.
	// - If your install is anything else, you're much safer leaving this
	// off since the risk in turning it on is that your outgoing mail will
	// mostly never arrive.
	'metamta.can-send-as-user' => false,

	// Adapter class to use to transmit mail to the MTA. The default uses
	// PHPMailerLite, which will invoke "sendmail". This is appropriate
	// if sendmail actually works on your host, but if you haven't configured mail
	// it may not be so great. You can also use Amazon SES, by changing this to
	// 'PhabricatorMailImplementationAmazonSESAdapter', signing up for SES, and
	// filling in your 'amazon-ses.access-key' and 'amazon-ses.secret-key' below.
	'metamta.mail-adapter' =>
	'PhabricatorMailImplementationPHPMailerLiteAdapter',

	// When email is sent, try to hand it off to the MTA immediately. This may
	// be worth disabling if your MTA infrastructure is slow or unreliable. If you
	// disable this option, you must run the 'metamta_mta.php' daemon or mail
	// won't be handed off to the MTA. If you're using Amazon SES it can be a
	// little slugish sometimes so it may be worth disabling this and moving to
	// the daemon after you've got your install up and running. If you have a
	// properly configured local MTA it should not be necessary to disable this.
	'metamta.send-immediately' => true,

	// If you're using Amazon SES to send email, provide your AWS access key
	// and AWS secret key here. To set up Amazon SES with Phabricator, you need
	// to:
	// - Make sure 'metamta.mail-adapter' is set to:
	// "PhabricatorMailImplementationAmazonSESAdapter"
	// - Make sure 'metamta.can-send-as-user' is false.
	// - Make sure 'metamta.default-address' is configured to something sensible.
	// - Make sure 'metamta.default-address' is a validated SES "From" address.
	'amazon-ses.access-key' => null,
	'amazon-ses.secret-key' => null,

	// If you're using Sendgrid to send email, provide your access credentials
	// here. This will use the REST API. You can also use Sendgrid as a normal
	// SMTP service.
	'sendgrid.api-user' => null,
	'sendgrid.api-key' => null,

	// You can configure a reply handler domain so that email sent from Maniphest
	// will have a special "Reply To" address like "T123+82+af19f@example.com"
	// that allows recipients to reply by email and interact with tasks. For
	// instructions on configurating reply handlers, see the article
	// "Configuring Inbound Email" in the Phabricator documentation. By default,
	// this is set to 'null' and Phabricator will use a generic 'noreply@' address
	// or the address of the acting user instead of a special reply handler
	// address (see 'metamta.default-address'). If you set a domain here,
	// Phabricator will begin generating private reply handler addresses. See
	// also 'metamta.maniphest.reply-handler' to further configure behavior.
	// This key should be set to the domain part after the @, like "example.com".
	'metamta.maniphest.reply-handler-domain' => null,

	// You can follow the instructions in "Configuring Inbound Email" in the
	// Phabricator documentation and set 'metamta.maniphest.reply-handler-domain'
	// to support updating Maniphest tasks by email. If you want more advanced
	// customization than this provides, you can override the reply handler
	// class with an implementation of your own. This will allow you to do things
	// like have a single public reply handler or change how private reply
	// handlers are generated and validated.
	// This key should be set to a loadable subclass of
	// PhabricatorMailReplyHandler (and possibly of ManiphestReplyHandler).
	'metamta.maniphest.reply-handler' => 'ManiphestReplyHandler',

	// If you don't want phabricator to take up an entire domain
	// (or subdomain for that matter), you can use this and set a common
	// prefix for mail sent by phabricator. It will make use of the fact that
	// a mail-address such as phabricator+D123+1hjk213h@example.com will be
	// delivered to the phabricator users mailbox.
	// Set this to the left part of the email address and it well get
	// prepended to all outgoing mail. If you want to use e.g.
	// 'phabricator@example.com' this should be set to 'phabricator'.
	'metamta.single-reply-handler-prefix' => null,

	// Prefix prepended to mail sent by Maniphest. You can change this to
	// distinguish between testing and development installs, for example.
	'metamta.maniphest.subject-prefix' => '[Maniphest]',

	// See 'metamta.maniphest.reply-handler-domain'. This does the same thing,
	// but allows email replies via Differential.
	'metamta.differential.reply-handler-domain' => null,

	// See 'metamta.maniphest.reply-handler'. This does the same thing, but
	// affects Differential.
	'metamta.differential.reply-handler' => 'DifferentialReplyHandler',

	// Prefix prepended to mail sent by Differential.
	'metamta.differential.subject-prefix' => '[Differential]',

	// Set this to true if you want patches to be attached to mail from
	// Differential. This won't work if you are using SendGrid as your mail
	// adapter.
	'metamta.differential.attach-patches' => false,

	// By default, Phabricator generates unique reply-to addresses and sends a
	// separate email to each recipient when you enable reply handling. This is
	// more secure than using "From" to establish user identity, but can mean
	// users may receive multiple emails when they are on mailing lists. Instead,
	// you can use a single, non-unique reply to address and authenticate users
	// based on the "From" address by setting this to 'true'. This trades away
	// a little bit of security for convenience, but it's reasonable in many
	// installs. Object interactions are still protected using hashes in the
	// single public email address, so objects can not be replied to blindly.
	'metamta.public-replies' => false,

	// You can configure an email address like "bugs@phabricator.example.com"
	// which will automatically create Maniphest tasks when users send email
	// to it. This relies on the "From" address to authenticate users, so it is
	// is not completely secure. To set this up, enter a complete email
	// address like "bugs@phabricator.example.com" and then configure mail to
	// that address so it routed to Phabricator (if you've already configured
	// reply handlers, you're probably already done). See "Configuring Inbound
	// Email" in the documentation for more information.
	'metamta.maniphest.public-create-email' => null,

	// If you enable 'metamta.public-replies', Phabricator uses "From" to
	// authenticate users. You can additionally enable this setting to try to
	// authenticate with 'Reply-To'. Note that this is completely spoofable and
	// insecure (any user can set any 'Reply-To' address) but depending on the
	// nature of your install or other deliverability conditions this might be
	// okay. Generally, you can't do much more by spoofing Reply-To than be
	// annoying (you can write but not read content). But, you know, this is
	// still COMPLETELY INSECURE.
	'metamta.insecure-auth-with-reply-to' => false,

	+ // If you enable 'metamta.maniphest.public-create-email' and create an
	+ // email address like "bugs@phabricator.example.com", it will default to
	+ // rejecting mail which doesn't come from a known user. However, you might
	+ // want to let anyone send email to this address; to do so, set a default
	+ // author here (a Phabricator username). A typical use of this might be to
	+ // create a "System Agent" user called "bugs" and use that name here. If you
	+ // specify a valid username, mail will always be accepted and used to create
	+ // a task, even if the sender is not a system user. The original email
	+ // address will be stored in an 'From Email' field on the task.
	+ 'metamta.maniphest.default-public-author' => null,
	+

	// -- Auth ------------------------------------------------------------------ //

	// Can users login with a username/password, or by following the link from
	// a password reset email? You can disable this and configure one or more
	// OAuth providers instead.
	'auth.password-auth-enabled' => true,

	// Maximum number of simultaneous web sessions each user is permitted to have.
	// Setting this to "1" will prevent a user from logging in on more than one
	// browser at the same time.
	'auth.sessions.web' => 5,

	// Maximum number of simultaneous Conduit sessions each user is permitted
	// to have.
	'auth.sessions.conduit' => 3,

	// Set this true to enable the Settings -> SSH Public Keys panel, which will
	// allow users to associated SSH public keys with their accounts. This is only
	// really useful if you're setting up services over SSH and want to use
	// Phabricator for authentication; in most situations you can leave this
	// disabled.
	'auth.sshkeys.enabled' => false,


	// -- Accounts -------------------------------------------------------------- //

	// Is basic account information (email, real name, profile picture) editable?
	// If you set up Phabricator to automatically synchronize account information
	// from some other authoritative system, you can disable this to ensure
	// information remains consistent across both systems.
	'account.editable' => true,


	// -- Facebook ------------------------------------------------------------ //

	// Can users use Facebook credentials to login to Phabricator?
	'facebook.auth-enabled' => false,

	// Can users use Facebook credentials to create new Phabricator accounts?
	'facebook.registration-enabled' => true,

	// Are Facebook accounts permanently linked to Phabricator accounts, or can
	// the user unlink them?
	'facebook.auth-permanent' => false,

	// The Facebook "Application ID" to use for Facebook API access.
	'facebook.application-id' => null,

	// The Facebook "Application Secret" to use for Facebook API access.
	'facebook.application-secret' => null,


	// -- Github ---------------------------------------------------------------- //

	// Can users use Github credentials to login to Phabricator?
	'github.auth-enabled' => false,

	// Can users use Github credentials to create new Phabricator accounts?
	'github.registration-enabled' => true,

	// Are Github accounts permanently linked to Phabricator accounts, or can
	// the user unlink them?
	'github.auth-permanent' => false,

	// The Github "Client ID" to use for Github API access.
	'github.application-id' => null,

	// The Github "Secret" to use for Github API access.
	'github.application-secret' => null,


	// -- Google ---------------------------------------------------------------- //

	// Can users use Google credentials to login to Phabricator?
	'google.auth-enabled' => false,

	// Can users use Google credentials to create new Phabricator accounts?
	'google.registration-enabled' => true,

	// Are Google accounts permanently linked to Phabricator accounts, or can
	// the user unlink them?
	'google.auth-permanent' => false,

	// The Google "Client ID" to use for Google API access.
	'google.application-id' => null,

	// The Google "Client Secret" to use for Google API access.
	'google.application-secret' => null,

	// -- Recaptcha ------------------------------------------------------------- //

	// Is Recaptcha enabled? If disabled, captchas will not appear.
	'recaptcha.enabled' => false,

	// Your Recaptcha public key, obtained from Recaptcha.
	'recaptcha.public-key' => null,

	// Your Recaptcha private key, obtained from Recaptcha.
	'recaptcha.private-key' => null,


	// -- Misc ------------------------------------------------------------------ //

	// This is hashed with other inputs to generate CSRF tokens. If you want, you
	// can change it to some other string which is unique to your install. This
	// will make your install more secure in a vague, mostly theoretical way. But
	// it will take you like 3 seconds of mashing on your keyboard to set it up so
	// you might as well.
	'phabricator.csrf-key' => '0b7ec0592e0a2829d8b71df2fa269b2c6172eca3',

	// This is hashed with other inputs to generate mail tokens. If you want, you
	// can change it to some other string which is unique to your install. In
	// particular, you will want to do this if you accidentally send a bunch of
	// mail somewhere you shouldn't have, to invalidate all old reply-to
	// addresses.
	'phabricator.mail-key' => '5ce3e7e8787f6e40dfae861da315a5cdf1018f12',


	// This is hashed with other inputs to generate file secret keys. Changing
	// it will invalidate all file URIs if you have an alternate file domain
	// configured (see 'security.alternate-file-domain').
	'phabricator.file-key' => 'ade8dadc8b4382067069a4d4798112191af8a190',

	// Version string displayed in the footer. You probably should leave this
	// alone.
	'phabricator.version' => 'UNSTABLE',

	// PHP requires that you set a timezone in your php.ini before using date
	// functions, or it will emit a warning. If this isn't possible (for instance,
	// because you are using HPHP) you can set some valid constant for
	// date_default_timezone_set() here and Phabricator will set it on your
	// behalf, silencing the warning.
	'phabricator.timezone' => null,

	// When unhandled exceptions occur, stack traces are hidden by default.
	// You can enable traces for development to make it easier to debug problems.
	'phabricator.show-stack-traces' => false,

	// When users write comments which have URIs, they'll be automaticaly linked
	// if the protocol appears in this set. This whitelist is primarily to prevent
	// security issues like javascript:// URIs.
	'uri.allowed-protocols' => array(
	'http' => true,
	'https' => true,
	),

	// Tokenizers are UI controls which let the user select other users, email
	// addresses, project names, etc., by typing the first few letters and having
	// the control autocomplete from a list. They can load their data in two ways:
	// either in a big chunk up front, or as the user types. By default, the data
	// is loaded in a big chunk. This is simpler and performs better for small
	// datasets. However, if you have a very large number of users or projects,
	// (in the ballpark of more than a thousand), loading all that data may become
	// slow enough that it's worthwhile to query on demand instead. This makes
	// the typeahead slightly less responsive but overall performance will be much
	// better if you have a ton of stuff. You can figure out which setting is
	// best for your install by changing this setting and then playing with a
	// user tokenizer (like the user selectors in Maniphest or Differential) and
	// seeing which setting loads faster and feels better.
	'tokenizer.ondemand' => false,

	// -- Files ----------------------------------------------------------------- //

	// Lists which uploaded file types may be viewed in the browser. If a file
	// has a mime type which does not appear in this list, it will always be
	// downloaded instead of displayed. This is a security consideration: if a
	// user uploads a file of type "text/html" and it is displayed as
	// "text/html", they can easily execute XSS attacks. This is also a usability
	// consideration, since browsers tend to freak out when viewing enormous
	// binary files.
	//
	// The keys in this array are viewable mime types; the values are the mime
	// types they will be delivered as when they are viewed in the browser.
	//
	// IMPORTANT: Making any file types viewable is a security vulnerability if
	// you do not configure 'security.alternate-file-domain' above.
	'files.viewable-mime-types' => array(
	'image/jpeg' => 'image/jpeg',
	'image/jpg' => 'image/jpg',
	'image/png' => 'image/png',
	'image/gif' => 'image/gif',
	'text/plain' => 'text/plain; charset=utf-8',
	),

	// Phabricator can proxy images from other servers so you can paste the URI
	// to a funny picture of a cat into the comment box and have it show up as an
	// image. However, this means the webserver Phabricator is running on will
	// make HTTP requests to arbitrary URIs. If the server has access to internal
	// resources, this could be a security risk. You should only enable it if you
	// are installed entirely a VPN and VPN access is required to access
	// Phabricator, or if the webserver has no special access to anything. If
	// unsure, it is safer to leave this disabled.
	'files.enable-proxy' => false,


	// -- Storage --------------------------------------------------------------- //

	// Phabricator allows users to upload files, and can keep them in various
	// storage engines. This section allows you to configure which engines
	// Phabricator will use, and how it will use them.

	// The largest filesize Phabricator will store in the MySQL BLOB storage
	// engine, which just uses a database table to store files. While this isn't a
	// best practice, it's really easy to set up. This is hard-limited by the
	// value of 'max_allowed_packet' in MySQL (since this often defaults to 1MB,
	// the default here is slightly smaller than 1MB). Set this to 0 to disable
	// use of the MySQL blob engine.
	'storage.mysql-engine.max-size' => 1000000,

	// Phabricator provides a local disk storage engine, which just writes files
	// to some directory on local disk. The webserver must have read/write
	// permissions on this directory. This is straightforward and suitable for
	// most installs, but will not scale past one web frontend unless the path
	// is actually an NFS mount, since you'll end up with some of the files
	// written to each web frontend and no way for them to share. To use the
	// local disk storage engine, specify the path to a directory here. To
	// disable it, specify null.
	'storage.local-disk.path' => null,

	// If you want to store files in Amazon S3, specify an AWS access and secret
	// key here and a bucket name below.
	'amazon-s3.access-key' => null,
	'amazon-s3.secret-key' => null,

	// Set this to a valid Amazon S3 bucket to store files there. You must also
	// configure S3 access keys above.
	'storage.s3.bucket' => null,

	// Phabricator uses a storage engine selector to choose which storage engine
	// to use when writing file data. If you add new storage engines or want to
	// provide very custom rules (e.g., write images to one storage engine and
	// other files to a different one), you can provide an alternate
	// implementation here. The default engine will use choose MySQL, Local Disk,
	// and S3, in that order, if they have valid configurations above and a file
	// fits within configured limits.
	'storage.engine-selector' => 'PhabricatorDefaultFileStorageEngineSelector',


	// -- Search ---------------------------------------------------------------- //

	// Phabricator uses a search engine selector to choose which search engine
	// to use when indexing and reconstructing documents, and when executing
	// queries. You can override the engine selector to provide a new selector
	// class which can select some custom engine you implement, if you want to
	// store your documents in some search engine which does not have default
	// support.
	'search.engine-selector' => 'PhabricatorDefaultSearchEngineSelector',


	// -- Differential ---------------------------------------------------------- //

	'differential.revision-custom-detail-renderer' => null,

	// Array for custom remarkup rules. The array should have a list of
	// class names of classes that extend PhutilRemarkupRule
	'differential.custom-remarkup-rules' => null,

	// Array for custom remarkup block rules. The array should have a list of
	// class names of classes that extend PhutilRemarkupEngineBlockRule
	'differential.custom-remarkup-block-rules' => null,

	// Set display word-wrap widths for Differential. Specify a dictionary of
	// regular expressions mapping to column widths. The filename will be matched
	// against each regexp in order until one matches. The default configuration
	// uses a width of 100 for Java and 80 for other languages. Note that 80 is
	// the greatest column width of all time. Changes here will not be immediately
	// reflected in old revisions unless you purge the render cache.
	'differential.wordwrap' => array(
	'/\.java$/' => 100,
	'/.*/' => 80,
	),

	// List of file regexps were whitespace is meaningful and should not
	// use 'ignore-all' by default
	'differential.whitespace-matters' => array(
	'/\.py$/',
	),

	'differential.field-selector' => 'DifferentialDefaultFieldSelector',

	// If you set this to true, users can "!accept" revisions via email (normally,
	// they can take other actions but can not "!accept"). This action is disabled
	// by default because email authentication can be configured to be very weak,
	// and, socially, email "!accept" is kind of sketchy and implies revisions may
	// not actually be receiving thorough review.
	'differential.enable-email-accept' => false,


	// -- Maniphest ------------------------------------------------------------- //

	'maniphest.enabled' => true,

	// Array of custom fields for Maniphest tasks. For details on adding custom
	// fields to Maniphest, see "Maniphest User Guide: Adding Custom Fields".
	'maniphest.custom-fields' => array(),

	// Class which drives custom field construction. See "Maniphest User Guide:
	// Adding Custom Fields" in the documentation for more information.
	'maniphest.custom-task-extensions-class' => 'ManiphestDefaultTaskExtensions',

	// -- Remarkup -------------------------------------------------------------- //

	// If you enable this, linked YouTube videos will be embeded inline. This has
	// mild security implications (you'll leak referrers to YouTube) and is pretty
	// silly (but sort of awesome).
	'remarkup.enable-embedded-youtube' => false,


	// -- Garbage Collection ---------------------------------------------------- //

	// Phabricator generates various logs and caches in the database which can
	// be garbage collected after a while to make the total data size more
	// manageable. To run garbage collection, launch a
	// PhabricatorGarbageCollector daemon.

	// Since the GC daemon can issue large writes and table scans, you may want to
	// run it only during off hours or make sure it is scheduled so it doesn't
	// overlap with backups. This determines when the daemon can start running
	// each day.
	'gcdaemon.run-at' => '12 AM',

	// How many seconds after 'gcdaemon.run-at' the daemon may collect garbage
	// for. By default it runs continuously, but you can set it to run for a
	// limited period of time. For instance, if you do backups at 3 AM, you might
	// run garbage collection for an hour beforehand. This is not a high-precision
	// limit so you may want to leave some room for the GC to actually stop, and
	// if you set it to something like 3 seconds you're on your own.
	'gcdaemon.run-for' => 24 * 60 * 60,

	// These 'ttl' keys configure how much old data the GC daemon keeps around.
	// Objects older than the ttl will be collected. Set any value to 0 to store
	// data indefinitely.

	'gcdaemon.ttl.herald-transcripts' => 30 * (24 * 60 * 60),
	'gcdaemon.ttl.daemon-logs' => 7 * (24 * 60 * 60),
	'gcdaemon.ttl.differential-parse-cache' => 14 * (24 * 60 * 60),


	// -- Feed ------------------------------------------------------------------ //

	// If you set this to true, you can embed Phabricator activity feeds in other
	// pages using iframes. These feeds are completely public, and a login is not
	// required to view them! This is intended for things like open source
	// projects that want to expose an activity feed on the project homepage.
	'feed.public' => false,

	// -- Customization --------------------------------------------------------- //

	// Paths to additional phutil libraries to load.
	'load-libraries' => array(),

	'aphront.default-application-configuration-class' =>
	'AphrontDefaultApplicationConfiguration',

	'controller.oauth-registration' =>
	'PhabricatorOAuthDefaultRegistrationController',


	// Directory that phd (the Phabricator daemon control script) should use to
	// track running daemons.
	'phd.pid-directory' => '/var/tmp/phd',

	// This value is an input to the hash function when building resource hashes.
	// It has no security value, but if you accidentally poison user caches (by
	// pushing a bad patch or having something go wrong with a CDN, e.g.) you can
	// change this to something else and rebuild the Celerity map to break user
	// caches. Unless you are doing Celerity development, it is exceptionally
	// unlikely that you need to modify this.
	'celerity.resource-hash' => 'd9455ea150622ee044f7931dabfa52aa',

	// In a development environment, it is desirable to force static resources
	// (CSS and JS) to be read from disk on every request, so that edits to them
	// appear when you reload the page even if you haven't updated the resource
	// maps. This setting ensures requests will be verified against the state on
	// disk. Generally, you should leave this off in production (caching behavior
	// and performance improve with it off) but turn it on in development. (These
	// settings are the defaults.)
	'celerity.force-disk-reads' => false,

	// You can respond to various application events by installing listeners,
	// which will receive callbacks when interesting things occur. Specify a list
	// of classes which extend PhabricatorEventListener here.
	'events.listeners' => array(),

	// -- Pygments -------------------------------------------------------------- //

	// Phabricator can highlight PHP by default, but if you want syntax
	// highlighting for other languages you should install the python package
	// 'Pygments', make sure the 'pygmentize' script is available in the
	// $PATH of the webserver, and then enable this.
	'pygments.enabled' => false,

	// In places that we display a dropdown to syntax-highlight code,
	// this is where that list is defined.
	// Syntax is 'lexer-name' => 'Display Name',
	'pygments.dropdown-choices' => array(
	'apacheconf' => 'Apache Configuration',
	'bash' => 'Bash Scripting',
	'brainfuck' => 'Brainf*ck',
	'c' => 'C',
	'cpp' => 'C++',
	'css' => 'CSS',
	'diff' => 'Diff',
	'django' => 'Django Templating',
	'erb' => 'Embedded Ruby/ERB',
	'erlang' => 'Erlang',
	'html' => 'HTML',
	'infer' => 'Infer from title (extension)',
	'java' => 'Java',
	'js' => 'Javascript',
	'mysql' => 'MySQL',
	'perl' => 'Perl',
	'php' => 'PHP',
	'text' => 'Plain Text',
	'python' => 'Python',
	'rainbow' => 'Rainbow',
	'remarkup' => 'Remarkup',
	'ruby' => 'Ruby',
	'xml' => 'XML',
	),

	'pygments.dropdown-default' => 'infer',

	// This is an override list of regular expressions which allows you to choose
	// what language files are highlighted as. If your projects have certain rules
	// about filenames or use unusual or ambiguous language extensions, you can
	// create a mapping here. This is an ordered dictionary of regular expressions
	// which will be tested against the filename. They should map to either an
	// explicit language as a string value, or a numeric index into the captured
	// groups as an integer.
	'syntax.filemap' => array(
	// Example: Treat all '*.xyz' files as PHP.
	// '@\\.xyz$@' => 'php',

	// Example: Treat 'httpd.conf' as 'apacheconf'.
	// '@/httpd\\.conf$@' => 'apacheconf',

	// Example: Treat all '*.x.bak' file as '.x'. NOTE: we map to capturing
	// group 1 by specifying the mapping as "1".
	// '@\\.([^.]+)\\.bak$@' => 1,
	),

	);
	diff --git a/resources/sql/patches/077.originalemail.sql b/resources/sql/patches/077.originalemail.sql
	new file mode 100644
	index 0000000000..0ce5d9f680
	--- /dev/null
	+++ b/resources/sql/patches/077.originalemail.sql
	@@ -0,0 +1,2 @@
	+ALTER TABLE phabricator_maniphest.maniphest_task
	+ ADD originalEmailSource VARCHAR(255);
	diff --git a/src/applications/maniphest/controller/taskdetail/ManiphestTaskDetailController.php b/src/applications/maniphest/controller/taskdetail/ManiphestTaskDetailController.php
	index a0a1ac1633..96ec82b2ea 100644
	--- a/src/applications/maniphest/controller/taskdetail/ManiphestTaskDetailController.php
	+++ b/src/applications/maniphest/controller/taskdetail/ManiphestTaskDetailController.php
	@@ -1,475 +1,486 @@
	<?php

	/*
	* Copyright 2011 Facebook, Inc.
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	/**
	* @group maniphest
	*/
	class ManiphestTaskDetailController extends ManiphestController {

	private $id;

	public function willProcessRequest(array $data) {
	$this->id = $data['id'];
	}

	public function processRequest() {

	$request = $this->getRequest();
	$user = $request->getUser();

	$e_title = null;

	$priority_map = ManiphestTaskPriority::getTaskPriorityMap();

	$task = id(new ManiphestTask())->load($this->id);
	if (!$task) {
	return new Aphront404Response();
	}

	$workflow = $request->getStr('workflow');
	$parent_task = null;
	if ($workflow && is_numeric($workflow)) {
	$parent_task = id(new ManiphestTask())->load($workflow);
	}

	$extensions = ManiphestTaskExtensions::newExtensions();
	$aux_fields = $extensions->getAuxiliaryFieldSpecifications();

	$transactions = id(new ManiphestTransaction())->loadAllWhere(
	'taskID = %d ORDER BY id ASC',
	$task->getID());

	$phids = array();
	foreach ($transactions as $transaction) {
	foreach ($transaction->extractPHIDs() as $phid) {
	$phids[$phid] = true;
	}
	}
	foreach ($task->getCCPHIDs() as $phid) {
	$phids[$phid] = true;
	}
	foreach ($task->getProjectPHIDs() as $phid) {
	$phids[$phid] = true;
	}
	if ($task->getOwnerPHID()) {
	$phids[$task->getOwnerPHID()] = true;
	}
	$phids[$task->getAuthorPHID()] = true;

	$attached = $task->getAttached();
	foreach ($attached as $type => $list) {
	foreach ($list as $phid => $info) {
	$phids[$phid] = true;
	}
	}

	if ($parent_task) {
	$phids[$parent_task->getPHID()] = true;
	}

	$phids = array_keys($phids);

	$handles = id(new PhabricatorObjectHandleData($phids))
	->loadHandles();

	$engine = PhabricatorMarkupEngine::newManiphestMarkupEngine();

	$dict = array();
	$dict['Status'] =
	'<strong>'.
	ManiphestTaskStatus::getTaskStatusFullName($task->getStatus()).
	'</strong>';

	$dict['Assigned To'] = $task->getOwnerPHID()
	? $handles[$task->getOwnerPHID()]->renderLink()
	: '<em>None</em>';

	$dict['Priority'] = ManiphestTaskPriority::getTaskPriorityName(
	$task->getPriority());

	$cc = $task->getCCPHIDs();
	if ($cc) {
	$cc_links = array();
	foreach ($cc as $phid) {
	$cc_links[] = $handles[$phid]->renderLink();
	}
	$dict['CC'] = implode(', ', $cc_links);
	} else {
	$dict['CC'] = '<em>None</em>';
	}

	$dict['Author'] = $handles[$task->getAuthorPHID()]->renderLink();

	+ $source = $task->getOriginalEmailSource();
	+ if ($source) {
	+ $subject = '[T'.$task->getID().'] '.$task->getTitle();
	+ $dict['From Email'] = phutil_render_tag(
	+ 'a',
	+ array(
	+ 'href' => 'mailto:'.$source.'?subject='.$subject
	+ ),
	+ phutil_escape_html($source));
	+ }
	+
	$projects = $task->getProjectPHIDs();
	if ($projects) {
	$project_links = array();
	foreach ($projects as $phid) {
	$project_links[] = $handles[$phid]->renderLink();
	}
	$dict['Projects'] = implode(', ', $project_links);
	} else {
	$dict['Projects'] = '<em>None</em>';
	}

	if ($aux_fields) {
	foreach ($aux_fields as $aux_field) {
	$attribute = $task->loadAuxiliaryAttribute(
	$aux_field->getAuxiliaryKey()
	);

	if ($attribute) {
	$aux_field->setValue($attribute->getValue());
	}

	$dict[$aux_field->getLabel()] = $aux_field->renderForDetailView();
	}
	}

	$dtasks = idx($attached, PhabricatorPHIDConstants::PHID_TYPE_TASK);
	if ($dtasks) {
	$dtask_links = array();
	foreach ($dtasks as $dtask => $info) {
	$dtask_links[] = $handles[$dtask]->renderLink();
	}
	$dtask_links = implode('<br />', $dtask_links);
	$dict['Depends On'] = $dtask_links;
	}

	$revs = idx($attached, PhabricatorPHIDConstants::PHID_TYPE_DREV);
	if ($revs) {
	$rev_links = array();
	foreach ($revs as $rev => $info) {
	$rev_links[] = $handles[$rev]->renderLink();
	}
	$rev_links = implode('<br />', $rev_links);
	$dict['Revisions'] = $rev_links;
	}

	$file_infos = idx($attached, PhabricatorPHIDConstants::PHID_TYPE_FILE);
	if ($file_infos) {
	$file_phids = array_keys($file_infos);

	$files = id(new PhabricatorFile())->loadAllWhere(
	'phid IN (%Ls)',
	$file_phids);

	$views = array();
	foreach ($files as $file) {
	$view = new AphrontFilePreviewView();
	$view->setFile($file);
	$views[] = $view->render();
	}
	$dict['Files'] = implode('', $views);
	}

	$dict['Description'] =
	'<div class="maniphest-task-description">'.
	'<div class="phabricator-remarkup">'.
	$engine->markupText($task->getDescription()).
	'</div>'.
	'</div>';

	require_celerity_resource('mainphest-task-detail-css');

	$table = array();
	foreach ($dict as $key => $value) {
	$table[] =
	'<tr>'.
	'<th>'.phutil_escape_html($key).':</th>'.
	'<td>'.$value.'</td>'.
	'</tr>';
	}
	$table =
	'<table class="maniphest-task-properties">'.
	implode("\n", $table).
	'</table>';

	$context_bar = null;

	if ($parent_task) {
	$context_bar = new AphrontContextBarView();
	$context_bar->addButton(
	phutil_render_tag(
	'a',
	array(
	'href' => '/maniphest/task/create/?parent='.$parent_task->getID(),
	'class' => 'green button',
	),
	'Create Another Subtask'));
	$context_bar->appendChild(
	'Created a subtask of <strong>'.
	$handles[$parent_task->getPHID()]->renderLink().
	'</strong>');
	} else if ($workflow == 'create') {
	$context_bar = new AphrontContextBarView();
	$context_bar->addButton(
	phutil_render_tag(
	'a',
	array(
	'href' => '/maniphest/task/create/?template='.$task->getID(),
	'class' => 'green button',
	),
	'Create Another Task'));
	$context_bar->appendChild('New task created.');
	}

	$actions = array();

	$action = new AphrontHeadsupActionView();
	$action->setName('Edit Task');
	$action->setURI('/maniphest/task/edit/'.$task->getID().'/');
	$action->setClass('action-edit');
	$actions[] = $action;

	require_celerity_resource('phabricator-object-selector-css');
	require_celerity_resource('javelin-behavior-phabricator-object-selector');

	$action = new AphrontHeadsupActionView();
	$action->setName('Merge Duplicates');
	$action->setURI('/search/attach/'.$task->getPHID().'/TASK/merge/');
	$action->setWorkflow(true);
	$action->setClass('action-merge');
	$actions[] = $action;

	$action = new AphrontHeadsupActionView();
	$action->setName('Create Subtask');
	$action->setURI('/maniphest/task/create/?parent='.$task->getID());
	$action->setClass('action-branch');
	$actions[] = $action;


	$action = new AphrontHeadsupActionView();
	$action->setName('Edit Dependencies');
	$action->setURI('/search/attach/'.$task->getPHID().'/TASK/dependencies/');
	$action->setWorkflow(true);
	$action->setClass('action-dependencies');
	$actions[] = $action;

	$action = new AphrontHeadsupActionView();
	$action->setName('Edit Differential Revisions');
	$action->setURI('/search/attach/'.$task->getPHID().'/DREV/');
	$action->setWorkflow(true);
	$action->setClass('action-attach');
	$actions[] = $action;

	$action_list = new AphrontHeadsupActionListView();
	$action_list->setActions($actions);

	$panel =
	'<div class="maniphest-panel">'.
	$action_list->render().
	'<div class="maniphest-task-detail-core">'.
	'<h1>'.
	'<span class="aphront-headsup-object-name">'.
	phutil_escape_html('T'.$task->getID()).
	'</span>'.
	' '.
	phutil_escape_html($task->getTitle()).
	'</h1>'.
	$table.
	'</div>'.
	'</div>';

	$transaction_types = ManiphestTransactionType::getTransactionTypeMap();
	$resolution_types = ManiphestTaskStatus::getTaskStatusMap();

	if ($task->getStatus() == ManiphestTaskStatus::STATUS_OPEN) {
	$resolution_types = array_select_keys(
	$resolution_types,
	array(
	ManiphestTaskStatus::STATUS_CLOSED_RESOLVED,
	ManiphestTaskStatus::STATUS_CLOSED_WONTFIX,
	ManiphestTaskStatus::STATUS_CLOSED_INVALID,
	ManiphestTaskStatus::STATUS_CLOSED_SPITE,
	));
	} else {
	$resolution_types = array(
	ManiphestTaskStatus::STATUS_OPEN => 'Reopened',
	);
	$transaction_types[ManiphestTransactionType::TYPE_STATUS] =
	'Reopen Task';
	unset($transaction_types[ManiphestTransactionType::TYPE_PRIORITY]);
	unset($transaction_types[ManiphestTransactionType::TYPE_OWNER]);
	}

	$default_claim = array(
	$user->getPHID() => $user->getUsername().' ('.$user->getRealName().')',
	);

	$draft = id(new PhabricatorDraft())->loadOneWhere(
	'authorPHID = %s AND draftKey = %s',
	$user->getPHID(),
	$task->getPHID());
	if ($draft) {
	$draft_text = $draft->getDraft();
	} else {
	$draft_text = null;
	}

	$panel_id = celerity_generate_unique_node_id();

	$comment_form = new AphrontFormView();
	$comment_form
	->setUser($user)
	->setAction('/maniphest/transaction/save/')
	->setEncType('multipart/form-data')
	->addHiddenInput('taskID', $task->getID())
	->appendChild(
	id(new AphrontFormSelectControl())
	->setLabel('Action')
	->setName('action')
	->setOptions($transaction_types)
	->setID('transaction-action'))
	->appendChild(
	id(new AphrontFormSelectControl())
	->setLabel('Resolution')
	->setName('resolution')
	->setControlID('resolution')
	->setControlStyle('display: none')
	->setOptions($resolution_types))
	->appendChild(
	id(new AphrontFormTokenizerControl())
	->setLabel('Assign To')
	->setName('assign_to')
	->setControlID('assign_to')
	->setControlStyle('display: none')
	->setID('assign-tokenizer')
	->setDisableBehavior(true))
	->appendChild(
	id(new AphrontFormTokenizerControl())
	->setLabel('CCs')
	->setName('ccs')
	->setControlID('ccs')
	->setControlStyle('display: none')
	->setID('cc-tokenizer')
	->setDisableBehavior(true))
	->appendChild(
	id(new AphrontFormSelectControl())
	->setLabel('Priority')
	->setName('priority')
	->setOptions($priority_map)
	->setControlID('priority')
	->setControlStyle('display: none')
	->setValue($task->getPriority()))
	->appendChild(
	id(new AphrontFormTokenizerControl())
	->setLabel('Projects')
	->setName('projects')
	->setControlID('projects')
	->setControlStyle('display: none')
	->setID('projects-tokenizer')
	->setDisableBehavior(true))
	->appendChild(
	id(new AphrontFormFileControl())
	->setLabel('File')
	->setName('file')
	->setControlID('file')
	->setControlStyle('display: none'))
	->appendChild(
	id(new AphrontFormTextAreaControl())
	->setLabel('Comments')
	->setName('comments')
	->setValue($draft_text)
	->setID('transaction-comments'))
	->appendChild(
	id(new AphrontFormDragAndDropUploadControl())
	->setLabel('Attached Files')
	->setName('files')
	->setDragAndDropTarget($panel_id)
	->setActivatedClass('aphront-panel-view-drag-and-drop'))
	->appendChild(
	id(new AphrontFormSubmitControl())
	->setValue('Avast!'));

	$control_map = array(
	ManiphestTransactionType::TYPE_STATUS => 'resolution',
	ManiphestTransactionType::TYPE_OWNER => 'assign_to',
	ManiphestTransactionType::TYPE_CCS => 'ccs',
	ManiphestTransactionType::TYPE_PRIORITY => 'priority',
	ManiphestTransactionType::TYPE_PROJECTS => 'projects',
	ManiphestTransactionType::TYPE_ATTACH => 'file',
	);

	Javelin::initBehavior('maniphest-transaction-controls', array(
	'select' => 'transaction-action',
	'controlMap' => $control_map,
	'tokenizers' => array(
	ManiphestTransactionType::TYPE_PROJECTS => array(
	'id' => 'projects-tokenizer',
	'src' => '/typeahead/common/projects/',
	'ondemand' => PhabricatorEnv::getEnvConfig('tokenizer.ondemand'),
	),
	ManiphestTransactionType::TYPE_OWNER => array(
	'id' => 'assign-tokenizer',
	'src' => '/typeahead/common/users/',
	'value' => $default_claim,
	'limit' => 1,
	'ondemand' => PhabricatorEnv::getEnvConfig('tokenizer.ondemand'),
	),
	ManiphestTransactionType::TYPE_CCS => array(
	'id' => 'cc-tokenizer',
	'src' => '/typeahead/common/mailable/',
	'ondemand' => PhabricatorEnv::getEnvConfig('tokenizer.ondemand'),
	),
	),
	));


	Javelin::initBehavior('maniphest-transaction-preview', array(
	'uri' => '/maniphest/transaction/preview/'.$task->getID().'/',
	'preview' => 'transaction-preview',
	'comments' => 'transaction-comments',
	'action' => 'transaction-action',
	'map' => $control_map,
	));

	$comment_panel = new AphrontPanelView();
	$comment_panel->appendChild($comment_form);
	$comment_panel->setID($panel_id);
	$comment_panel->addClass('aphront-panel-accent');
	$comment_panel->setHeader('Weigh In');

	$preview_panel =
	'<div class="aphront-panel-preview">
	<div id="transaction-preview">
	<div class="aphront-panel-preview-loading-text">
	Loading preview...
	</div>
	</div>
	</div>';

	$transaction_view = new ManiphestTransactionListView();
	$transaction_view->setTransactions($transactions);
	$transaction_view->setHandles($handles);
	$transaction_view->setUser($user);
	$transaction_view->setMarkupEngine($engine);

	return $this->buildStandardPageResponse(
	array(
	$context_bar,
	$panel,
	$transaction_view,
	$comment_panel,
	$preview_panel,
	),
	array(
	'title' => 'T'.$task->getID().' '.$task->getTitle(),
	));
	}

	}
	diff --git a/src/applications/maniphest/storage/task/ManiphestTask.php b/src/applications/maniphest/storage/task/ManiphestTask.php
	index df5ebdfdf3..0064116177 100644
	--- a/src/applications/maniphest/storage/task/ManiphestTask.php
	+++ b/src/applications/maniphest/storage/task/ManiphestTask.php
	@@ -1,148 +1,148 @@
	<?php

	/*
	* Copyright 2011 Facebook, Inc.
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	/**
	* @group maniphest
	*/
	class ManiphestTask extends ManiphestDAO {

	protected $phid;
	protected $authorPHID;
	protected $ownerPHID;
	protected $ccPHIDs = array();

	protected $status;
	protected $priority;

	protected $title;
	protected $description;
	-
	+ protected $originalEmailSource;
	protected $mailKey;

	protected $attached = array();
	protected $projectPHIDs = array();
	private $projectsNeedUpdate;
	private $subscribersNeedUpdate;

	protected $ownerOrdering;

	public function getConfiguration() {
	return array(
	self::CONFIG_AUX_PHID => true,
	self::CONFIG_SERIALIZATION => array(
	'ccPHIDs' => self::SERIALIZATION_JSON,
	'attached' => self::SERIALIZATION_JSON,
	'projectPHIDs' => self::SERIALIZATION_JSON,
	),
	) + parent::getConfiguration();
	}

	public function getAttachedPHIDs($type) {
	return array_keys(idx($this->attached, $type, array()));
	}

	public function generatePHID() {
	return PhabricatorPHID::generateNewPHID(
	PhabricatorPHIDConstants::PHID_TYPE_TASK);
	}

	public function getCCPHIDs() {
	return nonempty($this->ccPHIDs, array());
	}

	public function setProjectPHIDs(array $phids) {
	$this->projectPHIDs = $phids;
	$this->projectsNeedUpdate = true;
	return $this;
	}

	public function setCCPHIDs(array $phids) {
	$this->ccPHIDs = $phids;
	$this->subscribersNeedUpdate = true;
	return $this;
	}

	public function setOwnerPHID($phid) {
	$this->ownerPHID = $phid;
	$this->subscribersNeedUpdate = true;
	return $this;
	}

	public function setAuxiliaryAttribute($key, $val) {
	$this->removeAuxiliaryAttribute($key);

	$attribute = new ManiphestTaskAuxiliaryStorage();
	$attribute->setTaskPHID($this->phid);
	$attribute->setName($key);
	$attribute->setValue($val);
	$attribute->save();
	}

	public function loadAuxiliaryAttribute($key) {
	$attribute = id(new ManiphestTaskAuxiliaryStorage())->loadOneWhere(
	'taskPHID = %s AND name = %s',
	$this->getPHID(),
	$key);

	return $attribute;
	}

	public function removeAuxiliaryAttribute($key) {
	$attribute = id(new ManiphestTaskAuxiliaryStorage())->loadOneWhere(
	'taskPHID = %s AND name = %s',
	$this->getPHID(),
	$key);

	if ($attribute) {
	$attribute->delete();
	}
	}

	public function loadAuxiliaryAttributes() {
	$attributes = id(new ManiphestTaskAuxiliaryStorage())->loadAllWhere(
	'taskPHID = %s',
	$this->getPHID());

	return $attributes;
	}

	public function save() {
	if (!$this->mailKey) {
	$this->mailKey = sha1(Filesystem::readRandomBytes(20));
	}

	$result = parent::save();

	if ($this->projectsNeedUpdate) {
	// If we've changed the project PHIDs for this task, update the link
	// table.
	ManiphestTaskProject::updateTaskProjects($this);
	$this->projectsNeedUpdate = false;
	}

	if ($this->subscribersNeedUpdate) {
	// If we've changed the subscriber PHIDs for this task, update the link
	// table.
	ManiphestTaskSubscriber::updateTaskSubscribers($this);
	$this->subscribersNeedUpdate = false;
	}

	return $result;
	}

	}
	diff --git a/src/applications/metamta/storage/receivedmail/PhabricatorMetaMTAReceivedMail.php b/src/applications/metamta/storage/receivedmail/PhabricatorMetaMTAReceivedMail.php
	index 10ebdf5fd4..6200424577 100644
	--- a/src/applications/metamta/storage/receivedmail/PhabricatorMetaMTAReceivedMail.php
	+++ b/src/applications/metamta/storage/receivedmail/PhabricatorMetaMTAReceivedMail.php
	@@ -1,257 +1,275 @@
	<?php

	/*
	* Copyright 2011 Facebook, Inc.
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	class PhabricatorMetaMTAReceivedMail extends PhabricatorMetaMTADAO {

	protected $headers = array();
	protected $bodies = array();
	protected $attachments = array();

	protected $relatedPHID;
	protected $authorPHID;
	protected $message;

	public function getConfiguration() {
	return array(
	self::CONFIG_SERIALIZATION => array(
	'headers' => self::SERIALIZATION_JSON,
	'bodies' => self::SERIALIZATION_JSON,
	'attachments' => self::SERIALIZATION_JSON,
	),
	) + parent::getConfiguration();
	}

	public function setHeaders(array $headers) {
	// Normalize headers to lowercase.
	$normalized = array();
	foreach ($headers as $name => $value) {
	$normalized[strtolower($name)] = $value;
	}
	$this->headers = $normalized;
	return $this;
	}

	public function getMessageID() {
	return idx($this->headers, 'message-id');
	}

	public function getSubject() {
	return idx($this->headers, 'subject');
	}

	public function processReceivedMail() {
	$to = idx($this->headers, 'to');
	$to = $this->getRawEmailAddress($to);

	$from = idx($this->headers, 'from');

	$create_task = PhabricatorEnv::getEnvConfig(
	'metamta.maniphest.public-create-email');

	if ($create_task && $to == $create_task) {
	+ $receiver = new ManiphestTask();
	+
	$user = $this->lookupPublicUser();
	- if (!$user) {
	- // TODO: We should probably bounce these since from the user's
	- // perspective their email vanishes into a black hole.
	- return $this->setMessage("Invalid public user '{$from}'.")->save();
	+ if ($user) {
	+ $this->setAuthorPHID($user->getPHID());
	+ } else {
	+ $default_author = PhabricatorEnv::getEnvConfig(
	+ 'metamta.manipest.default-public-author');
	+
	+ if ($default_author) {
	+ $user = id(new PhabricatorUser())->loadOneWhere(
	+ 'username = %s',
	+ $default_author);
	+ if ($user) {
	+ $receiver->setOriginalEmailSource($from);
	+ } else {
	+ throw new Exception(
	+ "Phabricator is misconfigured, the configuration key ".
	+ "'metamta.manipest.default-public-author' is set to user ".
	+ "'{$default_author}' but that user does not exist.");
	+ }
	+ } else {
	+ // TODO: We should probably bounce these since from the user's
	+ // perspective their email vanishes into a black hole.
	+ return $this->setMessage("Invalid public user '{$from}'.")->save();
	+ }
	}

	- $this->setAuthorPHID($user->getPHID());
	-
	- $receiver = new ManiphestTask();
	$receiver->setAuthorPHID($user->getPHID());
	$receiver->setPriority(ManiphestTaskPriority::PRIORITY_TRIAGE);

	$editor = new ManiphestTransactionEditor();
	$handler = $editor->buildReplyHandler($receiver);

	$handler->setActor($user);
	$handler->receiveEmail($this);

	$this->setRelatedPHID($receiver->getPHID());
	$this->setMessage('OK');

	return $this->save();
	}

	// We've already stripped this, so look for an object address which has
	// a format like: D291+291+b0a41ca848d66dcc@example.com
	$matches = null;
	$single_handle_prefix = PhabricatorEnv::getEnvConfig(
	'metamta.single-reply-handler-prefix');

	$prefixPattern = ($single_handle_prefix)
	? preg_quote($single_handle_prefix, '/') . '\+'
	: '';
	$pattern = "/^{$prefixPattern}((?:D\|T)\d+)\+([\w]+)\+([a-f0-9]{16})@/U";

	$ok = preg_match(
	$pattern,
	$to,
	$matches);

	if (!$ok) {
	return $this->setMessage("Unrecognized 'to' format: {$to}")->save();
	}

	$receiver_name = $matches[1];
	$user_id = $matches[2];
	$hash = $matches[3];

	if ($user_id == 'public') {
	if (!PhabricatorEnv::getEnvConfig('metamta.public-replies')) {
	return $this->setMessage("Public replies not enabled.")->save();
	}

	$user = $this->lookupPublicUser();

	if (!$user) {
	return $this->setMessage("Invalid public user '{$from}'.")->save();
	}

	$use_user_hash = false;
	} else {
	$user = id(new PhabricatorUser())->load($user_id);
	if (!$user) {
	return $this->setMessage("Invalid private user '{$user_id}'.")->save();
	}

	$use_user_hash = true;
	}

	if ($user->getIsDisabled()) {
	return $this->setMessage("User '{$user_id}' is disabled")->save();
	}

	$this->setAuthorPHID($user->getPHID());

	$receiver = self::loadReceiverObject($receiver_name);
	if (!$receiver) {
	return $this->setMessage("Invalid object '{$receiver_name}'")->save();
	}

	$this->setRelatedPHID($receiver->getPHID());

	if ($use_user_hash) {
	// This is a private reply-to address, check that the user hash is
	// correct.
	$check_phid = $user->getPHID();
	} else {
	// This is a public reply-to address, check that the object hash is
	// correct.
	$check_phid = $receiver->getPHID();
	}

	$expect_hash = self::computeMailHash($receiver->getMailKey(), $check_phid);
	if ($expect_hash != $hash) {
	return $this->setMessage("Invalid mail hash!")->save();
	}

	if ($receiver instanceof ManiphestTask) {
	$editor = new ManiphestTransactionEditor();
	$handler = $editor->buildReplyHandler($receiver);
	} else if ($receiver instanceof DifferentialRevision) {
	$handler = DifferentialMail::newReplyHandlerForRevision($receiver);
	}

	$handler->setActor($user);
	$handler->receiveEmail($this);

	$this->setMessage('OK');

	return $this->save();
	}

	public function getCleanTextBody() {
	$body = idx($this->bodies, 'text');

	$parser = new PhabricatorMetaMTAEmailBodyParser($body);
	return $parser->stripQuotedText();
	}

	public static function loadReceiverObject($receiver_name) {
	if (!$receiver_name) {
	return null;
	}

	$receiver_type = $receiver_name[0];
	$receiver_id = substr($receiver_name, 1);

	$class_obj = null;
	switch ($receiver_type) {
	case 'T':
	$class_obj = newv('ManiphestTask', array());
	break;
	case 'D':
	$class_obj = newv('DifferentialRevision', array());
	break;
	default:
	return null;
	}

	return $class_obj->load($receiver_id);
	}

	public static function computeMailHash($mail_key, $phid) {
	$global_mail_key = PhabricatorEnv::getEnvConfig('phabricator.mail-key');

	$hash = sha1($mail_key.$global_mail_key.$phid);
	return substr($hash, 0, 16);
	}

	/**
	* Strip an email address down to the actual user@domain.tld part if
	* necessary, since sometimes it will have formatting like
	* '"Abraham Lincoln" <alincoln@logcab.in>'.
	*/
	private function getRawEmailAddress($address) {
	$matches = null;
	$ok = preg_match('/<(.*)>/', $address, $matches);
	if ($ok) {
	$address = $matches[1];
	}
	return $address;
	}

	private function lookupPublicUser() {
	$from = idx($this->headers, 'from');
	$from = $this->getRawEmailAddress($from);

	$user = id(new PhabricatorUser())->loadOneWhere(
	'email = %s',
	$from);

	// If Phabricator is configured to allow "Reply-To" authentication, try
	// the "Reply-To" address if we failed to match the "From" address.
	$config_key = 'metamta.insecure-auth-with-reply-to';
	$allow_reply_to = PhabricatorEnv::getEnvConfig($config_key);

	if (!$user && $allow_reply_to) {
	$reply_to = idx($this->headers, 'reply-to');
	$reply_to = $this->getRawEmailAddress($reply_to);
	if ($reply_to) {
	$user = id(new PhabricatorUser())->loadOneWhere(
	'email = %s',
	$reply_to);
	}
	}

	return $user;
	}

	}

File Metadata

Mime Type: text/x-diff
Expires: Sat, Nov 15, 5:26 PM (11 h, 7 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 338253
Default Alt Text: (63 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions