mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-30 10:42:41 +01:00
Add a policy restricting mailing list management
Summary: Fixes T7291. There are a class of spam/annoyance attacks here that we should be more strict about preventing, since you can add an individual's address as a mailing list. This application is likely on the way out so I didn't bother trying to do per-object policies. Test Plan: Set policy restrictively and could no longer create or edit mailing lists. Reviewers: joshuaspence, btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T7291 Differential Revision: https://secure.phabricator.com/D11783
This commit is contained in:
parent
82f47f9689
commit
267ff7fbc9
7 changed files with 52 additions and 16 deletions
|
@ -7,7 +7,7 @@
|
|||
*/
|
||||
return array(
|
||||
'names' => array(
|
||||
'core.pkg.css' => '86353aff',
|
||||
'core.pkg.css' => 'f8f4b8dc',
|
||||
'core.pkg.js' => '23d653bb',
|
||||
'darkconsole.pkg.js' => '8ab24e01',
|
||||
'differential.pkg.css' => '380f07e5',
|
||||
|
@ -124,9 +124,9 @@ return array(
|
|||
'rsrc/css/phui/phui-action-list.css' => '9ee9910a',
|
||||
'rsrc/css/phui/phui-action-panel.css' => '4bcb288d',
|
||||
'rsrc/css/phui/phui-box.css' => '7b3a2eed',
|
||||
'rsrc/css/phui/phui-button.css' => '008ba5e2',
|
||||
'rsrc/css/phui/phui-button.css' => 'ffe12633',
|
||||
'rsrc/css/phui/phui-crumbs-view.css' => '594d719e',
|
||||
'rsrc/css/phui/phui-document.css' => 'a494bdf8',
|
||||
'rsrc/css/phui/phui-document.css' => '8240b0b1',
|
||||
'rsrc/css/phui/phui-error-view.css' => 'ad042fdd',
|
||||
'rsrc/css/phui/phui-feed-story.css' => 'c9f3a0b5',
|
||||
'rsrc/css/phui/phui-fontkit.css' => '9ae12677',
|
||||
|
@ -773,13 +773,13 @@ return array(
|
|||
'phui-action-header-view-css' => '89c497e7',
|
||||
'phui-action-panel-css' => '4bcb288d',
|
||||
'phui-box-css' => '7b3a2eed',
|
||||
'phui-button-css' => '008ba5e2',
|
||||
'phui-button-css' => 'ffe12633',
|
||||
'phui-calendar-css' => '8675968e',
|
||||
'phui-calendar-day-css' => 'de035c8a',
|
||||
'phui-calendar-list-css' => 'c1d0ca59',
|
||||
'phui-calendar-month-css' => 'a92e47d2',
|
||||
'phui-crumbs-view-css' => '594d719e',
|
||||
'phui-document-view-css' => 'a494bdf8',
|
||||
'phui-document-view-css' => '8240b0b1',
|
||||
'phui-error-view-css' => 'ad042fdd',
|
||||
'phui-feed-story-css' => 'c9f3a0b5',
|
||||
'phui-font-icon-base-css' => '3dad2ae3',
|
||||
|
|
|
@ -1955,6 +1955,7 @@ phutil_register_library_map(array(
|
|||
'PhabricatorMailingListsController' => 'applications/mailinglists/controller/PhabricatorMailingListsController.php',
|
||||
'PhabricatorMailingListsEditController' => 'applications/mailinglists/controller/PhabricatorMailingListsEditController.php',
|
||||
'PhabricatorMailingListsListController' => 'applications/mailinglists/controller/PhabricatorMailingListsListController.php',
|
||||
'PhabricatorMailingListsManageCapability' => 'applications/mailinglists/capability/PhabricatorMailingListsManageCapability.php',
|
||||
'PhabricatorMainMenuSearchView' => 'view/page/menu/PhabricatorMainMenuSearchView.php',
|
||||
'PhabricatorMainMenuView' => 'view/page/menu/PhabricatorMainMenuView.php',
|
||||
'PhabricatorManagementWorkflow' => 'infrastructure/management/PhabricatorManagementWorkflow.php',
|
||||
|
@ -5228,6 +5229,7 @@ phutil_register_library_map(array(
|
|||
'PhabricatorMailingListsController' => 'PhabricatorController',
|
||||
'PhabricatorMailingListsEditController' => 'PhabricatorMailingListsController',
|
||||
'PhabricatorMailingListsListController' => 'PhabricatorMailingListsController',
|
||||
'PhabricatorMailingListsManageCapability' => 'PhabricatorPolicyCapability',
|
||||
'PhabricatorMainMenuSearchView' => 'AphrontView',
|
||||
'PhabricatorMainMenuView' => 'AphrontView',
|
||||
'PhabricatorManagementWorkflow' => 'PhutilArgumentWorkflow',
|
||||
|
|
|
@ -37,4 +37,12 @@ final class PhabricatorMailingListsApplication extends PhabricatorApplication {
|
|||
return '@';
|
||||
}
|
||||
|
||||
protected function getCustomCapabilities() {
|
||||
return array(
|
||||
PhabricatorMailingListsManageCapability::CAPABILITY => array(
|
||||
'default' => PhabricatorPolicies::POLICY_ADMIN,
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
<?php
|
||||
|
||||
final class PhabricatorMailingListsManageCapability
|
||||
extends PhabricatorPolicyCapability {
|
||||
|
||||
const CAPABILITY = 'mailinglists.manage';
|
||||
|
||||
public function getCapabilityName() {
|
||||
return pht('Can Manage Lists');
|
||||
}
|
||||
|
||||
public function describeCapabilityRejection() {
|
||||
return pht('You do not have permission to manage mailing lists.');
|
||||
}
|
||||
|
||||
}
|
|
@ -28,11 +28,16 @@ abstract class PhabricatorMailingListsController extends PhabricatorController {
|
|||
protected function buildApplicationCrumbs() {
|
||||
$crumbs = parent::buildApplicationCrumbs();
|
||||
|
||||
$can_manage = $this->hasApplicationCapability(
|
||||
PhabricatorMailingListsManageCapability::CAPABILITY);
|
||||
|
||||
$crumbs->addAction(
|
||||
id(new PHUIListItemView())
|
||||
->setName(pht('Create List'))
|
||||
->setHref($this->getApplicationURI('edit/'))
|
||||
->setIcon('fa-plus-square'));
|
||||
->setIcon('fa-plus-square')
|
||||
->setDisabled(!$can_manage)
|
||||
->setWorkflow(!$can_manage));
|
||||
|
||||
return $crumbs;
|
||||
}
|
||||
|
|
|
@ -3,21 +3,19 @@
|
|||
final class PhabricatorMailingListsEditController
|
||||
extends PhabricatorMailingListsController {
|
||||
|
||||
private $id;
|
||||
|
||||
public function willProcessRequest(array $data) {
|
||||
$this->id = idx($data, 'id');
|
||||
}
|
||||
|
||||
public function processRequest() {
|
||||
public function handleRequest(AphrontRequest $request) {
|
||||
$request = $this->getRequest();
|
||||
$viewer = $request->getUser();
|
||||
|
||||
if ($this->id) {
|
||||
$this->requireApplicationCapability(
|
||||
PhabricatorMailingListsManageCapability::CAPABILITY);
|
||||
|
||||
$list_id = $request->getURIData('id');
|
||||
if ($list_id) {
|
||||
$page_title = pht('Edit Mailing List');
|
||||
$list = id(new PhabricatorMailingListQuery())
|
||||
->setViewer($viewer)
|
||||
->withIDs(array($this->id))
|
||||
->withIDs(array($list_id))
|
||||
->executeOne();
|
||||
if (!$list) {
|
||||
return new Aphront404Response();
|
||||
|
|
|
@ -64,6 +64,11 @@ final class PhabricatorMailingListSearchEngine
|
|||
|
||||
$view = id(new PHUIObjectItemListView());
|
||||
|
||||
$can_manage = PhabricatorPolicyFilter::hasCapability(
|
||||
$this->requireViewer(),
|
||||
$this->getApplication(),
|
||||
PhabricatorMailingListsManageCapability::CAPABILITY);
|
||||
|
||||
foreach ($lists as $list) {
|
||||
$item = new PHUIObjectItemView();
|
||||
|
||||
|
@ -73,7 +78,9 @@ final class PhabricatorMailingListSearchEngine
|
|||
$item->addAction(
|
||||
id(new PHUIListItemView())
|
||||
->setIcon('fa-pencil')
|
||||
->setHref($this->getApplicationURI('/edit/'.$list->getID().'/')));
|
||||
->setHref($this->getApplicationURI('/edit/'.$list->getID().'/'))
|
||||
->setDisabled(!$can_manage)
|
||||
->setWorkflow(!$can_manage));
|
||||
|
||||
$view->addItem($item);
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue