revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-27 09:12:41 +01:00
Code Issues Releases Wiki Activity

Add a policy restricting mailing list management

Browse source 
Summary:
Fixes T7291. There are a class of spam/annoyance attacks here that we should be more strict about preventing, since you can add an individual's address as a mailing list.

This application is likely on the way out so I didn't bother trying to do per-object policies.

Test Plan: Set policy restrictively and could no longer create or edit mailing lists.

Reviewers: joshuaspence, btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T7291

Differential Revision: https://secure.phabricator.com/D11783
This commit is contained in:
epriestley 2015-02-17 11:14:26 -08:00
parent 82f47f9689
commit 267ff7fbc9
7 changed files with 52 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
resources/celerity/map.php
View file

@ -7,7 +7,7 @@
*/ */
return array( return array(
'names' => array( 'names' => array(
'core.pkg.css' => '86353aff', 'core.pkg.css' => 'f8f4b8dc',
'core.pkg.js' => '23d653bb', 'core.pkg.js' => '23d653bb',
'darkconsole.pkg.js' => '8ab24e01', 'darkconsole.pkg.js' => '8ab24e01',
'differential.pkg.css' => '380f07e5', 'differential.pkg.css' => '380f07e5',
@ -124,9 +124,9 @@ return array(
'rsrc/css/phui/phui-action-list.css' => '9ee9910a', 'rsrc/css/phui/phui-action-list.css' => '9ee9910a',
'rsrc/css/phui/phui-action-panel.css' => '4bcb288d', 'rsrc/css/phui/phui-action-panel.css' => '4bcb288d',
'rsrc/css/phui/phui-box.css' => '7b3a2eed', 'rsrc/css/phui/phui-box.css' => '7b3a2eed',
'rsrc/css/phui/phui-button.css' => '008ba5e2', 'rsrc/css/phui/phui-button.css' => 'ffe12633',
'rsrc/css/phui/phui-crumbs-view.css' => '594d719e', 'rsrc/css/phui/phui-crumbs-view.css' => '594d719e',
'rsrc/css/phui/phui-document.css' => 'a494bdf8', 'rsrc/css/phui/phui-document.css' => '8240b0b1',
'rsrc/css/phui/phui-error-view.css' => 'ad042fdd', 'rsrc/css/phui/phui-error-view.css' => 'ad042fdd',
'rsrc/css/phui/phui-feed-story.css' => 'c9f3a0b5', 'rsrc/css/phui/phui-feed-story.css' => 'c9f3a0b5',
'rsrc/css/phui/phui-fontkit.css' => '9ae12677', 'rsrc/css/phui/phui-fontkit.css' => '9ae12677',
@ -773,13 +773,13 @@ return array(
'phui-action-header-view-css' => '89c497e7', 'phui-action-header-view-css' => '89c497e7',
'phui-action-panel-css' => '4bcb288d', 'phui-action-panel-css' => '4bcb288d',
'phui-box-css' => '7b3a2eed', 'phui-box-css' => '7b3a2eed',
'phui-button-css' => '008ba5e2', 'phui-button-css' => 'ffe12633',
'phui-calendar-css' => '8675968e', 'phui-calendar-css' => '8675968e',
'phui-calendar-day-css' => 'de035c8a', 'phui-calendar-day-css' => 'de035c8a',
'phui-calendar-list-css' => 'c1d0ca59', 'phui-calendar-list-css' => 'c1d0ca59',
'phui-calendar-month-css' => 'a92e47d2', 'phui-calendar-month-css' => 'a92e47d2',
'phui-crumbs-view-css' => '594d719e', 'phui-crumbs-view-css' => '594d719e',
'phui-document-view-css' => 'a494bdf8', 'phui-document-view-css' => '8240b0b1',
'phui-error-view-css' => 'ad042fdd', 'phui-error-view-css' => 'ad042fdd',
'phui-feed-story-css' => 'c9f3a0b5', 'phui-feed-story-css' => 'c9f3a0b5',
'phui-font-icon-base-css' => '3dad2ae3', 'phui-font-icon-base-css' => '3dad2ae3',

2
src/__phutil_library_map__.php
View file

@ -1955,6 +1955,7 @@ phutil_register_library_map(array(
'PhabricatorMailingListsController' => 'applications/mailinglists/controller/PhabricatorMailingListsController.php', 'PhabricatorMailingListsController' => 'applications/mailinglists/controller/PhabricatorMailingListsController.php',
'PhabricatorMailingListsEditController' => 'applications/mailinglists/controller/PhabricatorMailingListsEditController.php', 'PhabricatorMailingListsEditController' => 'applications/mailinglists/controller/PhabricatorMailingListsEditController.php',
'PhabricatorMailingListsListController' => 'applications/mailinglists/controller/PhabricatorMailingListsListController.php', 'PhabricatorMailingListsListController' => 'applications/mailinglists/controller/PhabricatorMailingListsListController.php',
'PhabricatorMailingListsManageCapability' => 'applications/mailinglists/capability/PhabricatorMailingListsManageCapability.php',
'PhabricatorMainMenuSearchView' => 'view/page/menu/PhabricatorMainMenuSearchView.php', 'PhabricatorMainMenuSearchView' => 'view/page/menu/PhabricatorMainMenuSearchView.php',
'PhabricatorMainMenuView' => 'view/page/menu/PhabricatorMainMenuView.php', 'PhabricatorMainMenuView' => 'view/page/menu/PhabricatorMainMenuView.php',
'PhabricatorManagementWorkflow' => 'infrastructure/management/PhabricatorManagementWorkflow.php', 'PhabricatorManagementWorkflow' => 'infrastructure/management/PhabricatorManagementWorkflow.php',
@ -5228,6 +5229,7 @@ phutil_register_library_map(array(
'PhabricatorMailingListsController' => 'PhabricatorController', 'PhabricatorMailingListsController' => 'PhabricatorController',
'PhabricatorMailingListsEditController' => 'PhabricatorMailingListsController', 'PhabricatorMailingListsEditController' => 'PhabricatorMailingListsController',
'PhabricatorMailingListsListController' => 'PhabricatorMailingListsController', 'PhabricatorMailingListsListController' => 'PhabricatorMailingListsController',
'PhabricatorMailingListsManageCapability' => 'PhabricatorPolicyCapability',
'PhabricatorMainMenuSearchView' => 'AphrontView', 'PhabricatorMainMenuSearchView' => 'AphrontView',
'PhabricatorMainMenuView' => 'AphrontView', 'PhabricatorMainMenuView' => 'AphrontView',
'PhabricatorManagementWorkflow' => 'PhutilArgumentWorkflow', 'PhabricatorManagementWorkflow' => 'PhutilArgumentWorkflow',

8
src/applications/mailinglists/application/PhabricatorMailingListsApplication.php
View file

@ -37,4 +37,12 @@ final class PhabricatorMailingListsApplication extends PhabricatorApplication {
return '@'; return '@';
} }
protected function getCustomCapabilities() {
return array(
PhabricatorMailingListsManageCapability::CAPABILITY => array(
'default' => PhabricatorPolicies::POLICY_ADMIN,
),
);
}
} }

16
src/applications/mailinglists/capability/PhabricatorMailingListsManageCapability.php Normal file
View file

@ -0,0 +1,16 @@
<?php
final class PhabricatorMailingListsManageCapability
extends PhabricatorPolicyCapability {
const CAPABILITY = 'mailinglists.manage';
public function getCapabilityName() {
return pht('Can Manage Lists');
}
public function describeCapabilityRejection() {
return pht('You do not have permission to manage mailing lists.');
}
}

7
src/applications/mailinglists/controller/PhabricatorMailingListsController.php
View file

@ -28,11 +28,16 @@ abstract class PhabricatorMailingListsController extends PhabricatorController {
protected function buildApplicationCrumbs() { protected function buildApplicationCrumbs() {
$crumbs = parent::buildApplicationCrumbs(); $crumbs = parent::buildApplicationCrumbs();
$can_manage = $this->hasApplicationCapability(
PhabricatorMailingListsManageCapability::CAPABILITY);
$crumbs->addAction( $crumbs->addAction(
id(new PHUIListItemView()) id(new PHUIListItemView())
->setName(pht('Create List')) ->setName(pht('Create List'))
->setHref($this->getApplicationURI('edit/')) ->setHref($this->getApplicationURI('edit/'))
->setIcon('fa-plus-square')); ->setIcon('fa-plus-square')
->setDisabled(!$can_manage)
->setWorkflow(!$can_manage));
return $crumbs; return $crumbs;
} }

16
src/applications/mailinglists/controller/PhabricatorMailingListsEditController.php
View file

@ -3,21 +3,19 @@
final class PhabricatorMailingListsEditController final class PhabricatorMailingListsEditController
extends PhabricatorMailingListsController { extends PhabricatorMailingListsController {
private $id; public function handleRequest(AphrontRequest $request) {
public function willProcessRequest(array $data) {
$this->id = idx($data, 'id');
}
public function processRequest() {
$request = $this->getRequest(); $request = $this->getRequest();
$viewer = $request->getUser(); $viewer = $request->getUser();
if ($this->id) { $this->requireApplicationCapability(
PhabricatorMailingListsManageCapability::CAPABILITY);
$list_id = $request->getURIData('id');
if ($list_id) {
$page_title = pht('Edit Mailing List'); $page_title = pht('Edit Mailing List');
$list = id(new PhabricatorMailingListQuery()) $list = id(new PhabricatorMailingListQuery())
->setViewer($viewer) ->setViewer($viewer)
->withIDs(array($this->id)) ->withIDs(array($list_id))
->executeOne(); ->executeOne();
if (!$list) { if (!$list) {
return new Aphront404Response(); return new Aphront404Response();

9
src/applications/mailinglists/query/PhabricatorMailingListSearchEngine.php
View file

@ -64,6 +64,11 @@ final class PhabricatorMailingListSearchEngine
$view = id(new PHUIObjectItemListView()); $view = id(new PHUIObjectItemListView());
$can_manage = PhabricatorPolicyFilter::hasCapability(
$this->requireViewer(),
$this->getApplication(),
PhabricatorMailingListsManageCapability::CAPABILITY);
foreach ($lists as $list) { foreach ($lists as $list) {
$item = new PHUIObjectItemView(); $item = new PHUIObjectItemView();
@ -73,7 +78,9 @@ final class PhabricatorMailingListSearchEngine
$item->addAction( $item->addAction(
id(new PHUIListItemView()) id(new PHUIListItemView())
->setIcon('fa-pencil') ->setIcon('fa-pencil')
->setHref($this->getApplicationURI('/edit/'.$list->getID().'/'))); ->setHref($this->getApplicationURI('/edit/'.$list->getID().'/'))
->setDisabled(!$can_manage)
->setWorkflow(!$can_manage));
$view->addItem($item); $view->addItem($item);
} }