Add basic per-object privacy policies
Summary:
Provides a basic start for access policies. Objects expose various capabilities, like CAN_VIEW, CAN_EDIT, etc., and set a policy for each capability. We currently implement three policies, PUBLIC (anyone, including logged-out), USERS (any logged-in) and NOONE (nobody). There's also a way to provide automatic capability grants (e.g., the owner of an object can always see it, even if some capability is set to "NOONE"), but I'm not sure how great the implementation feels and it might change.
Most of the code here is providing a primitive for efficient policy-aware list queries. The problem with doing queries naively is that you have to do crazy amounts of filtering, e.g. to show the user page 6, you need to filter at least 600 objects (and likely more) before you can figure out which ones are 500-600 for them. You can't just do "LIMIT 500, 100" because that might have only 50 results, or no results. Instead, the query looks like "WHERE id > last_visible_id", and then we fetch additional pages as necessary to satisfy the request.
The general idea is that we move all data access to Query classes and have them do object filtering. The ID paging primitive allows efficient paging in most cases, and the executeOne() method provides a concise way to do policy checks for edit/view screens.
We'll probably end up with mostly broader policy UIs or configuration-based policies, but there are at least a few cases for per-object privacy (e.g., marking tasks as "Security", and restricting things to the members of projects) so I figured we'd start with a flexible primitive and the simplify it in the UI where we can.
Test Plan: Unit tests, played around in the UI with various policy settings.
Reviewers: btrahan, vrana, jungejason
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T603
Differential Revision: https://secure.phabricator.com/D2210
2012-04-14 19:13:29 +02:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
interface PhabricatorPolicyInterface {
|
|
|
|
|
|
|
|
|
|
public function getCapabilities();
|
|
|
|
|
public function getPolicy($capability);
|
|
|
|
|
public function hasAutomaticCapability($capability, PhabricatorUser $viewer);
|
|
|
|
|
|
2013-09-27 17:43:41 +02:00
|
|
|
/**
|
|
|
|
|
* Describe exceptions to an object's policy setting.
|
|
|
|
|
*
|
|
|
|
|
* The intent of this method is to explain and inform users about special
|
|
|
|
|
* cases which override configured policy settings. If this object has any
|
|
|
|
|
* such exceptions, explain them by returning one or more human-readable
|
|
|
|
|
* strings which describe the exception in a broad, categorical way. For
|
|
|
|
|
* example:
|
|
|
|
|
*
|
|
|
|
|
* - "The owner of an X can always view and edit it."
|
|
|
|
|
* - "Members of a Y can always view it."
|
|
|
|
|
*
|
|
|
|
|
* You can return `null`, a single string, or a list of strings.
|
|
|
|
|
*
|
|
|
|
|
* The relevant capability to explain (like "view") is passed as a parameter.
|
|
|
|
|
* You should tailor any messages to be relevant to that capability, although
|
|
|
|
|
* they do not need to exclusively describe the capability, and in some cases
|
|
|
|
|
* being more general ("The author can view and edit...") will be more clear.
|
|
|
|
|
*
|
|
|
|
|
* Messages should describe general rules, not specific objects, because the
|
|
|
|
|
* main goal is to teach the user the rules. For example, write "the author",
|
|
|
|
|
* not the specific author's name.
|
|
|
|
|
*
|
|
|
|
|
* @param const @{class:PhabricatorPolicyCapability} constant.
|
|
|
|
|
* @return wild Description of policy exceptions. See above.
|
|
|
|
|
*/
|
|
|
|
|
public function describeAutomaticCapability($capability);
|
|
|
|
|
|
Add basic per-object privacy policies
Summary:
Provides a basic start for access policies. Objects expose various capabilities, like CAN_VIEW, CAN_EDIT, etc., and set a policy for each capability. We currently implement three policies, PUBLIC (anyone, including logged-out), USERS (any logged-in) and NOONE (nobody). There's also a way to provide automatic capability grants (e.g., the owner of an object can always see it, even if some capability is set to "NOONE"), but I'm not sure how great the implementation feels and it might change.
Most of the code here is providing a primitive for efficient policy-aware list queries. The problem with doing queries naively is that you have to do crazy amounts of filtering, e.g. to show the user page 6, you need to filter at least 600 objects (and likely more) before you can figure out which ones are 500-600 for them. You can't just do "LIMIT 500, 100" because that might have only 50 results, or no results. Instead, the query looks like "WHERE id > last_visible_id", and then we fetch additional pages as necessary to satisfy the request.
The general idea is that we move all data access to Query classes and have them do object filtering. The ID paging primitive allows efficient paging in most cases, and the executeOne() method provides a concise way to do policy checks for edit/view screens.
We'll probably end up with mostly broader policy UIs or configuration-based policies, but there are at least a few cases for per-object privacy (e.g., marking tasks as "Security", and restricting things to the members of projects) so I figured we'd start with a flexible primitive and the simplify it in the UI where we can.
Test Plan: Unit tests, played around in the UI with various policy settings.
Reviewers: btrahan, vrana, jungejason
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T603
Differential Revision: https://secure.phabricator.com/D2210
2012-04-14 19:13:29 +02:00
|
|
|
}
|