People - refine permissions on creating new users

Summary: Fixes T7142. Make old permission mean "make (non-bot) users" and then nuance the UI for those administrators who can make bot accounts. Test Plan: loaded up admin a with full powers and admin b with restricted powers. noted admin a could make a full user. noted admin b could not make a full user. noted admin b got an error even via clever uri hacking. Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T7142 Differential Revision: https://secure.phabricator.com/D11702
2024-11-26 00:32:42 +01:00 · 2015-02-05 16:47:09 -08:00 · 2015-02-05 16:47:09 -08:00 · 345966cb41
commit 345966cb41
parent 57f1ab705e
4 changed files with 28 additions and 10 deletions
--- a/src/applications/people/application/PhabricatorPeopleApplication.php
+++ b/src/applications/people/application/PhabricatorPeopleApplication.php
@ -164,12 +164,23 @@ final class PhabricatorPeopleApplication extends PhabricatorApplication {
  public function getQuickCreateItems(PhabricatorUser $viewer) {
    $items = array();

-    if ($viewer->getIsAdmin()) {
+    $can_create = PhabricatorPolicyFilter::hasCapability(
+      $viewer,
+      $this,
+      PeopleCreateUsersCapability::CAPABILITY);
+
+    if ($can_create) {
      $item = id(new PHUIListItemView())
        ->setName(pht('User Account'))
        ->setIcon('fa-users')
        ->setHref($this->getBaseURI().'create/');
      $items[] = $item;
+    } else if ($viewer->getIsAdmin()) {
+      $item = id(new PHUIListItemView())
+        ->setName(pht('Bot Account'))
+        ->setIcon('fa-android')
+        ->setHref($this->getBaseURI().'new/bot/');
+      $items[] = $item;
    }

    return $items;
--- a/src/applications/people/capability/PeopleCreateUsersCapability.php
+++ b/src/applications/people/capability/PeopleCreateUsersCapability.php
@ -6,7 +6,7 @@ final class PeopleCreateUsersCapability
  const CAPABILITY = 'people.create.users';

  public function getCapabilityName() {
-    return pht('Can Create Users');
+    return pht('Can Create (non-bot) Users');
  }

  public function describeCapabilityRejection() {
--- a/src/applications/people/controller/PhabricatorPeopleListController.php
+++ b/src/applications/people/controller/PhabricatorPeopleListController.php
@ -35,12 +35,19 @@ final class PhabricatorPeopleListController

    $can_create = $this->hasApplicationCapability(
      PeopleCreateUsersCapability::CAPABILITY);
-    $crumbs->addAction(
-      id(new PHUIListItemView())
-      ->setName(pht('Create New User'))
-      ->setHref($this->getApplicationURI('create/'))
-      ->setDisabled(!$can_create)
-      ->setIcon('fa-plus-square'));
+    if ($can_create) {
+      $crumbs->addAction(
+        id(new PHUIListItemView())
+        ->setName(pht('Create New User'))
+        ->setHref($this->getApplicationURI('create/'))
+        ->setIcon('fa-plus-square'));
+    } else if ($viewer->getIsAdmin()) {
+      $crumbs->addAction(
+        id(new PHUIListItemView())
+        ->setName(pht('Create New Bot'))
+        ->setHref($this->getApplicationURI('new/bot/'))
+        ->setIcon('fa-plus-square'));
+    }

    return $crumbs;
  }
--- a/src/applications/people/controller/PhabricatorPeopleNewController.php
+++ b/src/applications/people/controller/PhabricatorPeopleNewController.php
@ -4,13 +4,13 @@ final class PhabricatorPeopleNewController
  extends PhabricatorPeopleController {

  public function handleRequest(AphrontRequest $request) {
-    $this->requireApplicationCapability(
-      PeopleCreateUsersCapability::CAPABILITY);
    $type = $request->getURIData('type');
    $admin = $request->getUser();

    switch ($type) {
      case 'standard':
+        $this->requireApplicationCapability(
+          PeopleCreateUsersCapability::CAPABILITY);
        $is_bot = false;
        break;
      case 'bot':