Calendar events should have edit/view policies

Summary: Closes T7940, Calendar events should have edit/view policies. Test Plan: Create new event and save, event should be only visible and editable by creator. Editing policies should correctly set the permissions of editing/viewing the event. Reviewers: epriestley, #blessed_reviewers Reviewed By: epriestley, #blessed_reviewers Subscribers: Korvin, epriestley Maniphest Tasks: T7940 Differential Revision: https://secure.phabricator.com/D12632
2024-12-18 11:30:55 +01:00 · 2015-04-30 14:43:48 -07:00 · 2015-04-30 14:43:48 -07:00 · 11e8e60245
commit 11e8e60245
parent f14e0bf2ef
3 changed files with 65 additions and 3 deletions
--- a/resources/sql/autopatches/20150430.calendar.1.policies.sql
+++ b/resources/sql/autopatches/20150430.calendar.1.policies.sql
@ -0,0 +1,11 @@
+ALTER TABLE {$NAMESPACE}_calendar.calendar_event
+    ADD viewPolicy varbinary(64) NOT NULL;
+
+ALTER TABLE {$NAMESPACE}_calendar.calendar_event
+    ADD editPolicy varbinary(64) NOT NULL;
+
+UPDATE {$NAMESPACE}_calendar.calendar_event
+  SET viewPolicy = 'users' WHERE viewPolicy = '';
+
+UPDATE {$NAMESPACE}_calendar.calendar_event
+  SET editPolicy = userPHID;
--- a/src/applications/calendar/controller/PhabricatorCalendarEventEditController.php
+++ b/src/applications/calendar/controller/PhabricatorCalendarEventEditController.php
@ -138,6 +138,14 @@ final class PhabricatorCalendarEventEditController
            PhabricatorCalendarEventTransaction::TYPE_DESCRIPTION)
          ->setNewValue($description);

+        $xactions[] = id(new PhabricatorCalendarEventTransaction())
+          ->setTransactionType(PhabricatorTransactions::TYPE_VIEW_POLICY)
+          ->setNewValue($request->getStr('viewPolicy'));
+
+        $xactions[] = id(new PhabricatorCalendarEventTransaction())
+          ->setTransactionType(PhabricatorTransactions::TYPE_EDIT_POLICY)
+          ->setNewValue($request->getStr('editPolicy'));
+
        $editor = id(new PhabricatorCalendarEventEditor())
          ->setActor($user)
          ->setContentSourceFromRequest($request)
@ -179,6 +187,23 @@ final class PhabricatorCalendarEventEditController
      ->setName('description')
      ->setValue($event->getDescription());

+    $current_policies = id(new PhabricatorPolicyQuery())
+      ->setViewer($user)
+      ->setObject($event)
+      ->execute();
+    $view_policies = id(new AphrontFormPolicyControl())
+      ->setUser($user)
+      ->setCapability(PhabricatorPolicyCapability::CAN_VIEW)
+      ->setPolicyObject($event)
+      ->setPolicies($current_policies)
+      ->setName('viewPolicy');
+    $edit_policies = id(new AphrontFormPolicyControl())
+      ->setUser($user)
+      ->setCapability(PhabricatorPolicyCapability::CAN_EDIT)
+      ->setPolicyObject($event)
+      ->setPolicies($current_policies)
+      ->setName('editPolicy');
+
    $subscribers = id(new AphrontFormTokenizerControl())
      ->setLabel(pht('Subscribers'))
      ->setName('subscribers')
@ -199,6 +224,8 @@ final class PhabricatorCalendarEventEditController
      ->appendChild($status_select)
      ->appendChild($start_time)
      ->appendChild($end_time)
+      ->appendControl($view_policies)
+      ->appendControl($edit_policies)
      ->appendControl($subscribers)
      ->appendControl($invitees)
      ->appendChild($description);
--- a/src/applications/calendar/storage/PhabricatorCalendarEvent.php
+++ b/src/applications/calendar/storage/PhabricatorCalendarEvent.php
@ -18,6 +18,9 @@ final class PhabricatorCalendarEvent extends PhabricatorCalendarDAO
  protected $description;
  protected $isCancelled;

+  protected $viewPolicy;
+  protected $editPolicy;
+
  private $invitees = self::ATTACHABLE;

  const STATUS_AWAY = 1;
@ -32,6 +35,8 @@ final class PhabricatorCalendarEvent extends PhabricatorCalendarDAO
    return id(new PhabricatorCalendarEvent())
      ->setUserPHID($actor->getPHID())
      ->setIsCancelled(0)
+      ->setViewPolicy($actor->getPHID())
+      ->setEditPolicy($actor->getPHID())
      ->attachInvitees(array());
  }

@ -224,18 +229,37 @@ final class PhabricatorCalendarEvent extends PhabricatorCalendarDAO
  public function getPolicy($capability) {
    switch ($capability) {
      case PhabricatorPolicyCapability::CAN_VIEW:
-        return PhabricatorPolicies::getMostOpenPolicy();
+        return $this->getViewPolicy();
      case PhabricatorPolicyCapability::CAN_EDIT:
-        return $this->getUserPHID();
+        return $this->getEditPolicy();
    }
  }

  public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {
+    // The owner of a task can always view and edit it.
+    $user_phid = $this->getUserPHID();
+    if ($user_phid) {
+      $viewer_phid = $viewer->getPHID();
+      if ($viewer_phid == $user_phid) {
+        return true;
+      }
+    }
+
+    if ($capability == PhabricatorPolicyCapability::CAN_VIEW) {
+      $status = $this->getUserInviteStatus($viewer->getPHID());
+      if ($status == PhabricatorCalendarEventInvitee::STATUS_INVITED ||
+        $status == PhabricatorCalendarEventInvitee::STATUS_ATTENDING ||
+        $status == PhabricatorCalendarEventInvitee::STATUS_DECLINED) {
+        return true;
+      }
+    }
+
    return false;
  }

  public function describeAutomaticCapability($capability) {
-    return null;
+    return pht('The owner of an event can always view and edit it,
+      and invitees can always view it.');
  }

 /* -(  PhabricatorApplicationTransactionInterface  )------------------------- */