1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-30 10:42:41 +01:00

Add a policy restricting mailing list management

Summary:
Fixes T7291. There are a class of spam/annoyance attacks here that we should be more strict about preventing, since you can add an individual's address as a mailing list.

This application is likely on the way out so I didn't bother trying to do per-object policies.

Test Plan: Set policy restrictively and could no longer create or edit mailing lists.

Reviewers: joshuaspence, btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T7291

Differential Revision: https://secure.phabricator.com/D11783
This commit is contained in:
epriestley 2015-02-17 11:14:26 -08:00
parent 82f47f9689
commit 267ff7fbc9
7 changed files with 52 additions and 16 deletions

View file

@ -7,7 +7,7 @@
*/
return array(
'names' => array(
'core.pkg.css' => '86353aff',
'core.pkg.css' => 'f8f4b8dc',
'core.pkg.js' => '23d653bb',
'darkconsole.pkg.js' => '8ab24e01',
'differential.pkg.css' => '380f07e5',
@ -124,9 +124,9 @@ return array(
'rsrc/css/phui/phui-action-list.css' => '9ee9910a',
'rsrc/css/phui/phui-action-panel.css' => '4bcb288d',
'rsrc/css/phui/phui-box.css' => '7b3a2eed',
'rsrc/css/phui/phui-button.css' => '008ba5e2',
'rsrc/css/phui/phui-button.css' => 'ffe12633',
'rsrc/css/phui/phui-crumbs-view.css' => '594d719e',
'rsrc/css/phui/phui-document.css' => 'a494bdf8',
'rsrc/css/phui/phui-document.css' => '8240b0b1',
'rsrc/css/phui/phui-error-view.css' => 'ad042fdd',
'rsrc/css/phui/phui-feed-story.css' => 'c9f3a0b5',
'rsrc/css/phui/phui-fontkit.css' => '9ae12677',
@ -773,13 +773,13 @@ return array(
'phui-action-header-view-css' => '89c497e7',
'phui-action-panel-css' => '4bcb288d',
'phui-box-css' => '7b3a2eed',
'phui-button-css' => '008ba5e2',
'phui-button-css' => 'ffe12633',
'phui-calendar-css' => '8675968e',
'phui-calendar-day-css' => 'de035c8a',
'phui-calendar-list-css' => 'c1d0ca59',
'phui-calendar-month-css' => 'a92e47d2',
'phui-crumbs-view-css' => '594d719e',
'phui-document-view-css' => 'a494bdf8',
'phui-document-view-css' => '8240b0b1',
'phui-error-view-css' => 'ad042fdd',
'phui-feed-story-css' => 'c9f3a0b5',
'phui-font-icon-base-css' => '3dad2ae3',

View file

@ -1955,6 +1955,7 @@ phutil_register_library_map(array(
'PhabricatorMailingListsController' => 'applications/mailinglists/controller/PhabricatorMailingListsController.php',
'PhabricatorMailingListsEditController' => 'applications/mailinglists/controller/PhabricatorMailingListsEditController.php',
'PhabricatorMailingListsListController' => 'applications/mailinglists/controller/PhabricatorMailingListsListController.php',
'PhabricatorMailingListsManageCapability' => 'applications/mailinglists/capability/PhabricatorMailingListsManageCapability.php',
'PhabricatorMainMenuSearchView' => 'view/page/menu/PhabricatorMainMenuSearchView.php',
'PhabricatorMainMenuView' => 'view/page/menu/PhabricatorMainMenuView.php',
'PhabricatorManagementWorkflow' => 'infrastructure/management/PhabricatorManagementWorkflow.php',
@ -5228,6 +5229,7 @@ phutil_register_library_map(array(
'PhabricatorMailingListsController' => 'PhabricatorController',
'PhabricatorMailingListsEditController' => 'PhabricatorMailingListsController',
'PhabricatorMailingListsListController' => 'PhabricatorMailingListsController',
'PhabricatorMailingListsManageCapability' => 'PhabricatorPolicyCapability',
'PhabricatorMainMenuSearchView' => 'AphrontView',
'PhabricatorMainMenuView' => 'AphrontView',
'PhabricatorManagementWorkflow' => 'PhutilArgumentWorkflow',

View file

@ -37,4 +37,12 @@ final class PhabricatorMailingListsApplication extends PhabricatorApplication {
return '@';
}
protected function getCustomCapabilities() {
return array(
PhabricatorMailingListsManageCapability::CAPABILITY => array(
'default' => PhabricatorPolicies::POLICY_ADMIN,
),
);
}
}

View file

@ -0,0 +1,16 @@
<?php
final class PhabricatorMailingListsManageCapability
extends PhabricatorPolicyCapability {
const CAPABILITY = 'mailinglists.manage';
public function getCapabilityName() {
return pht('Can Manage Lists');
}
public function describeCapabilityRejection() {
return pht('You do not have permission to manage mailing lists.');
}
}

View file

@ -28,11 +28,16 @@ abstract class PhabricatorMailingListsController extends PhabricatorController {
protected function buildApplicationCrumbs() {
$crumbs = parent::buildApplicationCrumbs();
$can_manage = $this->hasApplicationCapability(
PhabricatorMailingListsManageCapability::CAPABILITY);
$crumbs->addAction(
id(new PHUIListItemView())
->setName(pht('Create List'))
->setHref($this->getApplicationURI('edit/'))
->setIcon('fa-plus-square'));
->setIcon('fa-plus-square')
->setDisabled(!$can_manage)
->setWorkflow(!$can_manage));
return $crumbs;
}

View file

@ -3,21 +3,19 @@
final class PhabricatorMailingListsEditController
extends PhabricatorMailingListsController {
private $id;
public function willProcessRequest(array $data) {
$this->id = idx($data, 'id');
}
public function processRequest() {
public function handleRequest(AphrontRequest $request) {
$request = $this->getRequest();
$viewer = $request->getUser();
if ($this->id) {
$this->requireApplicationCapability(
PhabricatorMailingListsManageCapability::CAPABILITY);
$list_id = $request->getURIData('id');
if ($list_id) {
$page_title = pht('Edit Mailing List');
$list = id(new PhabricatorMailingListQuery())
->setViewer($viewer)
->withIDs(array($this->id))
->withIDs(array($list_id))
->executeOne();
if (!$list) {
return new Aphront404Response();

View file

@ -64,6 +64,11 @@ final class PhabricatorMailingListSearchEngine
$view = id(new PHUIObjectItemListView());
$can_manage = PhabricatorPolicyFilter::hasCapability(
$this->requireViewer(),
$this->getApplication(),
PhabricatorMailingListsManageCapability::CAPABILITY);
foreach ($lists as $list) {
$item = new PHUIObjectItemView();
@ -73,7 +78,9 @@ final class PhabricatorMailingListSearchEngine
$item->addAction(
id(new PHUIListItemView())
->setIcon('fa-pencil')
->setHref($this->getApplicationURI('/edit/'.$list->getID().'/')));
->setHref($this->getApplicationURI('/edit/'.$list->getID().'/'))
->setDisabled(!$can_manage)
->setWorkflow(!$can_manage));
$view->addItem($item);
}