People - refine permissions on creating new users

Summary: Fixes T7142. Make old permission mean "make (non-bot) users" and then nuance the UI for those administrators who can make bot accounts.

Test Plan: loaded up admin a with full powers and admin b with restricted powers. noted admin a could make a full user. noted admin b could not make a full user. noted admin b got an error even via clever uri hacking.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7142

Differential Revision: https://secure.phabricator.com/D11702

src/applications/people/application/PhabricatorPeopleApplication.php

@@ -164,12 +164,23 @@ final class PhabricatorPeopleApplication extends PhabricatorApplication {
   public function getQuickCreateItems(PhabricatorUser $viewer) {
     $items = array();
 
-    if ($viewer->getIsAdmin()) {
+    $can_create = PhabricatorPolicyFilter::hasCapability(
+      $viewer,
+      $this,
+      PeopleCreateUsersCapability::CAPABILITY);
+
+    if ($can_create) {
       $item = id(new PHUIListItemView())
         ->setName(pht('User Account'))
         ->setIcon('fa-users')
         ->setHref($this->getBaseURI().'create/');
       $items[] = $item;
+    } else if ($viewer->getIsAdmin()) {
+      $item = id(new PHUIListItemView())
+        ->setName(pht('Bot Account'))
+        ->setIcon('fa-android')
+        ->setHref($this->getBaseURI().'new/bot/');
+      $items[] = $item;
     }
 
     return $items;

src/applications/people/capability/PeopleCreateUsersCapability.php

@@ -6,7 +6,7 @@ final class PeopleCreateUsersCapability
   const CAPABILITY = 'people.create.users';
 
   public function getCapabilityName() {
-    return pht('Can Create Users');
+    return pht('Can Create (non-bot) Users');
   }
 
   public function describeCapabilityRejection() {

src/applications/people/controller/PhabricatorPeopleListController.php

@@ -35,12 +35,19 @@ final class PhabricatorPeopleListController
 
     $can_create = $this->hasApplicationCapability(
       PeopleCreateUsersCapability::CAPABILITY);
-    $crumbs->addAction(
+    if ($can_create) {
-      id(new PHUIListItemView())
+      $crumbs->addAction(
-      ->setName(pht('Create New User'))
+        id(new PHUIListItemView())
-      ->setHref($this->getApplicationURI('create/'))
+        ->setName(pht('Create New User'))
-      ->setDisabled(!$can_create)
+        ->setHref($this->getApplicationURI('create/'))
-      ->setIcon('fa-plus-square'));
+        ->setIcon('fa-plus-square'));
+    } else if ($viewer->getIsAdmin()) {
+      $crumbs->addAction(
+        id(new PHUIListItemView())
+        ->setName(pht('Create New Bot'))
+        ->setHref($this->getApplicationURI('new/bot/'))
+        ->setIcon('fa-plus-square'));
+    }
 
     return $crumbs;
   }

src/applications/people/controller/PhabricatorPeopleNewController.php

@@ -4,13 +4,13 @@ final class PhabricatorPeopleNewController
   extends PhabricatorPeopleController {
 
   public function handleRequest(AphrontRequest $request) {
-    $this->requireApplicationCapability(
-      PeopleCreateUsersCapability::CAPABILITY);
     $type = $request->getURIData('type');
     $admin = $request->getUser();
 
     switch ($type) {
       case 'standard':
+        $this->requireApplicationCapability(
+          PeopleCreateUsersCapability::CAPABILITY);
         $is_bot = false;
         break;
       case 'bot':