Auth - add "manage providers" capability

Summary: Ref T6947.

Test Plan: toggled setting in application settings and changes stuck. set policy to admin user a only and could not add a provider as a admin user b.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T6947

Differential Revision: https://secure.phabricator.com/D11356

src/__phutil_library_map__.php

@@ -179,6 +179,7 @@ phutil_register_library_map(array(
     'AuditActionMenuEventListener' => 'applications/audit/events/AuditActionMenuEventListener.php',
     'AuditConduitAPIMethod' => 'applications/audit/conduit/AuditConduitAPIMethod.php',
     'AuditQueryConduitAPIMethod' => 'applications/audit/conduit/AuditQueryConduitAPIMethod.php',
+    'AuthManageProvidersCapability' => 'applications/auth/capability/AuthManageProvidersCapability.php',
     'CalendarColors' => 'applications/calendar/constants/CalendarColors.php',
     'CalendarConstants' => 'applications/calendar/constants/CalendarConstants.php',
     'CalendarTimeUtil' => 'applications/calendar/util/CalendarTimeUtil.php',
@@ -3256,6 +3257,7 @@ phutil_register_library_map(array(
     'AuditActionMenuEventListener' => 'PhabricatorEventListener',
     'AuditConduitAPIMethod' => 'ConduitAPIMethod',
     'AuditQueryConduitAPIMethod' => 'AuditConduitAPIMethod',
+    'AuthManageProvidersCapability' => 'PhabricatorPolicyCapability',
     'CalendarColors' => 'CalendarConstants',
     'CalendarTimeUtilTestCase' => 'PhabricatorTestCase',
     'CelerityManagementMapWorkflow' => 'CelerityManagementWorkflow',

src/applications/auth/application/PhabricatorAuthApplication.php

@@ -144,4 +144,11 @@ final class PhabricatorAuthApplication extends PhabricatorApplication {
     );
   }
 
+  protected function getCustomCapabilities() {
+    return array(
+      AuthManageProvidersCapability::CAPABILITY => array(
+        'default' => PhabricatorPolicies::POLICY_ADMIN,
+      ),
+    );
+  }
 }

src/applications/auth/capability/AuthManageProvidersCapability.php

@@ -0,0 +1,17 @@
+<?php
+
+final class AuthManageProvidersCapability
+  extends PhabricatorPolicyCapability {
+
+  const CAPABILITY = 'auth.manage.providers';
+
+  public function getCapabilityName() {
+    return pht('Can Manage Auth Providers');
+  }
+
+  public function describeCapabilityRejection() {
+    return pht(
+      'You do not have permission to manage authentication providers.');
+  }
+
+}

src/applications/auth/controller/config/PhabricatorAuthDisableController.php

@@ -3,17 +3,12 @@
 final class PhabricatorAuthDisableController
   extends PhabricatorAuthProviderConfigController {
 
-  private $configID;
-  private $action;
-
-  public function willProcessRequest(array $data) {
-    $this->configID = idx($data, 'id');
-    $this->action = idx($data, 'action');
-  }
-
-  public function processRequest() {
-    $request = $this->getRequest();
+  public function handleRequest(AphrontRequest $request) {
+    $this->requireApplicationCapability(
+      AuthManageProvidersCapability::CAPABILITY);
     $viewer = $request->getUser();
+    $config_id = $request->getURIData('id');
+    $action = $request->getURIData('action');
 
     $config = id(new PhabricatorAuthProviderConfigQuery())
       ->setViewer($viewer)
@@ -22,13 +17,13 @@ final class PhabricatorAuthDisableController
           PhabricatorPolicyCapability::CAN_VIEW,
           PhabricatorPolicyCapability::CAN_EDIT,
         ))
-      ->withIDs(array($this->configID))
+      ->withIDs(array($config_id))
       ->executeOne();
     if (!$config) {
       return new Aphront404Response();
     }
 
-    $is_enable = ($this->action === 'enable');
+    $is_enable = ($action === 'enable');
 
     if ($request->isDialogFormPost()) {
       $xactions = array();

src/applications/auth/controller/config/PhabricatorAuthEditController.php

@@ -3,19 +3,14 @@
 final class PhabricatorAuthEditController
   extends PhabricatorAuthProviderConfigController {
 
-  private $providerClass;
-  private $configID;
-
-  public function willProcessRequest(array $data) {
-    $this->providerClass = idx($data, 'className');
-    $this->configID = idx($data, 'id');
-  }
-
-  public function processRequest() {
-    $request = $this->getRequest();
+  public function handleRequest(AphrontRequest $request) {
+    $this->requireApplicationCapability(
+      AuthManageProvidersCapability::CAPABILITY);
     $viewer = $request->getUser();
+    $provider_class = $request->getURIData('className');
+    $config_id = $request->getURIData('configID');
 
-    if ($this->configID) {
+    if ($config_id) {
       $config = id(new PhabricatorAuthProviderConfigQuery())
         ->setViewer($viewer)
         ->requireCapabilities(
@@ -23,7 +18,7 @@ final class PhabricatorAuthEditController
             PhabricatorPolicyCapability::CAN_VIEW,
             PhabricatorPolicyCapability::CAN_EDIT,
           ))
-        ->withIDs(array($this->configID))
+        ->withIDs(array($config_id))
         ->executeOne();
       if (!$config) {
         return new Aphront404Response();
@@ -38,7 +33,7 @@ final class PhabricatorAuthEditController
     } else {
       $providers = PhabricatorAuthProvider::getAllBaseProviders();
       foreach ($providers as $candidate_provider) {
-        if (get_class($candidate_provider) === $this->providerClass) {
+        if (get_class($candidate_provider) === $provider_class) {
           $provider = $candidate_provider;
           break;
         }

src/applications/auth/controller/config/PhabricatorAuthListController.php

@@ -49,12 +49,15 @@ final class PhabricatorAuthListController
         $item->addAttribute(pht('Allows Registration'));
       }
 
+      $can_manage = $this->hasApplicationCapability(
+        AuthManageProvidersCapability::CAPABILITY);
       if ($config->getIsEnabled()) {
         $item->setBarColor('green');
         $item->addAction(
           id(new PHUIListItemView())
             ->setIcon('fa-times')
             ->setHref($disable_uri)
+            ->setDisabled(!$can_manage)
             ->addSigil('workflow'));
       } else {
         $item->setBarColor('grey');
@@ -63,6 +66,7 @@ final class PhabricatorAuthListController
           id(new PHUIListItemView())
             ->setIcon('fa-plus')
             ->setHref($enable_uri)
+            ->setDisabled(!$can_manage)
             ->addSigil('workflow'));
       }
 

src/applications/auth/controller/config/PhabricatorAuthNewController.php

@@ -3,7 +3,9 @@
 final class PhabricatorAuthNewController
   extends PhabricatorAuthProviderConfigController {
 
-  public function processRequest() {
+  public function handleRequest(AphrontRequest $request) {
+    $this->requireApplicationCapability(
+      AuthManageProvidersCapability::CAPABILITY);
     $request = $this->getRequest();
     $viewer = $request->getUser();
 

src/applications/auth/controller/config/PhabricatorAuthProviderConfigController.php

@@ -3,10 +3,6 @@
 abstract class PhabricatorAuthProviderConfigController
   extends PhabricatorAuthController {
 
-  public function shouldRequireAdmin() {
-    return true;
-  }
-
   protected function buildSideNavView($for_app = false) {
     $nav = new AphrontSideNavFilterView();
     $nav->setBaseURI(new PhutilURI($this->getApplicationURI()));
@@ -27,10 +23,13 @@ abstract class PhabricatorAuthProviderConfigController
   protected function buildApplicationCrumbs() {
     $crumbs = parent::buildApplicationCrumbs();
 
+    $can_create = $this->hasApplicationCapability(
+      AuthManageProvidersCapability::CAPABILITY);
     $crumbs->addAction(
       id(new PHUIListItemView())
         ->setName(pht('Add Authentication Provider'))
         ->setHref($this->getApplicationURI('/config/new/'))
+        ->setDisabled(!$can_create)
         ->setIcon('fa-plus-square'));
 
     return $crumbs;