diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php index 8e5982ca0d..32f6a0ecd4 100644 --- a/src/__phutil_library_map__.php +++ b/src/__phutil_library_map__.php @@ -179,6 +179,7 @@ phutil_register_library_map(array( 'AuditActionMenuEventListener' => 'applications/audit/events/AuditActionMenuEventListener.php', 'AuditConduitAPIMethod' => 'applications/audit/conduit/AuditConduitAPIMethod.php', 'AuditQueryConduitAPIMethod' => 'applications/audit/conduit/AuditQueryConduitAPIMethod.php', + 'AuthManageProvidersCapability' => 'applications/auth/capability/AuthManageProvidersCapability.php', 'CalendarColors' => 'applications/calendar/constants/CalendarColors.php', 'CalendarConstants' => 'applications/calendar/constants/CalendarConstants.php', 'CalendarTimeUtil' => 'applications/calendar/util/CalendarTimeUtil.php', @@ -3256,6 +3257,7 @@ phutil_register_library_map(array( 'AuditActionMenuEventListener' => 'PhabricatorEventListener', 'AuditConduitAPIMethod' => 'ConduitAPIMethod', 'AuditQueryConduitAPIMethod' => 'AuditConduitAPIMethod', + 'AuthManageProvidersCapability' => 'PhabricatorPolicyCapability', 'CalendarColors' => 'CalendarConstants', 'CalendarTimeUtilTestCase' => 'PhabricatorTestCase', 'CelerityManagementMapWorkflow' => 'CelerityManagementWorkflow', diff --git a/src/applications/auth/application/PhabricatorAuthApplication.php b/src/applications/auth/application/PhabricatorAuthApplication.php index cdf0fe6211..8fd9c1cf68 100644 --- a/src/applications/auth/application/PhabricatorAuthApplication.php +++ b/src/applications/auth/application/PhabricatorAuthApplication.php @@ -144,4 +144,11 @@ final class PhabricatorAuthApplication extends PhabricatorApplication { ); } + protected function getCustomCapabilities() { + return array( + AuthManageProvidersCapability::CAPABILITY => array( + 'default' => PhabricatorPolicies::POLICY_ADMIN, + ), + ); + } } diff --git a/src/applications/auth/capability/AuthManageProvidersCapability.php b/src/applications/auth/capability/AuthManageProvidersCapability.php new file mode 100644 index 0000000000..9d6770bc3a --- /dev/null +++ b/src/applications/auth/capability/AuthManageProvidersCapability.php @@ -0,0 +1,17 @@ +configID = idx($data, 'id'); - $this->action = idx($data, 'action'); - } - - public function processRequest() { - $request = $this->getRequest(); + public function handleRequest(AphrontRequest $request) { + $this->requireApplicationCapability( + AuthManageProvidersCapability::CAPABILITY); $viewer = $request->getUser(); + $config_id = $request->getURIData('id'); + $action = $request->getURIData('action'); $config = id(new PhabricatorAuthProviderConfigQuery()) ->setViewer($viewer) @@ -22,13 +17,13 @@ final class PhabricatorAuthDisableController PhabricatorPolicyCapability::CAN_VIEW, PhabricatorPolicyCapability::CAN_EDIT, )) - ->withIDs(array($this->configID)) + ->withIDs(array($config_id)) ->executeOne(); if (!$config) { return new Aphront404Response(); } - $is_enable = ($this->action === 'enable'); + $is_enable = ($action === 'enable'); if ($request->isDialogFormPost()) { $xactions = array(); diff --git a/src/applications/auth/controller/config/PhabricatorAuthEditController.php b/src/applications/auth/controller/config/PhabricatorAuthEditController.php index aff66ec6e9..b55c8e801a 100644 --- a/src/applications/auth/controller/config/PhabricatorAuthEditController.php +++ b/src/applications/auth/controller/config/PhabricatorAuthEditController.php @@ -3,19 +3,14 @@ final class PhabricatorAuthEditController extends PhabricatorAuthProviderConfigController { - private $providerClass; - private $configID; - - public function willProcessRequest(array $data) { - $this->providerClass = idx($data, 'className'); - $this->configID = idx($data, 'id'); - } - - public function processRequest() { - $request = $this->getRequest(); + public function handleRequest(AphrontRequest $request) { + $this->requireApplicationCapability( + AuthManageProvidersCapability::CAPABILITY); $viewer = $request->getUser(); + $provider_class = $request->getURIData('className'); + $config_id = $request->getURIData('configID'); - if ($this->configID) { + if ($config_id) { $config = id(new PhabricatorAuthProviderConfigQuery()) ->setViewer($viewer) ->requireCapabilities( @@ -23,7 +18,7 @@ final class PhabricatorAuthEditController PhabricatorPolicyCapability::CAN_VIEW, PhabricatorPolicyCapability::CAN_EDIT, )) - ->withIDs(array($this->configID)) + ->withIDs(array($config_id)) ->executeOne(); if (!$config) { return new Aphront404Response(); @@ -38,7 +33,7 @@ final class PhabricatorAuthEditController } else { $providers = PhabricatorAuthProvider::getAllBaseProviders(); foreach ($providers as $candidate_provider) { - if (get_class($candidate_provider) === $this->providerClass) { + if (get_class($candidate_provider) === $provider_class) { $provider = $candidate_provider; break; } diff --git a/src/applications/auth/controller/config/PhabricatorAuthListController.php b/src/applications/auth/controller/config/PhabricatorAuthListController.php index 6458a621f5..b81696caa1 100644 --- a/src/applications/auth/controller/config/PhabricatorAuthListController.php +++ b/src/applications/auth/controller/config/PhabricatorAuthListController.php @@ -49,12 +49,15 @@ final class PhabricatorAuthListController $item->addAttribute(pht('Allows Registration')); } + $can_manage = $this->hasApplicationCapability( + AuthManageProvidersCapability::CAPABILITY); if ($config->getIsEnabled()) { $item->setBarColor('green'); $item->addAction( id(new PHUIListItemView()) ->setIcon('fa-times') ->setHref($disable_uri) + ->setDisabled(!$can_manage) ->addSigil('workflow')); } else { $item->setBarColor('grey'); @@ -63,6 +66,7 @@ final class PhabricatorAuthListController id(new PHUIListItemView()) ->setIcon('fa-plus') ->setHref($enable_uri) + ->setDisabled(!$can_manage) ->addSigil('workflow')); } diff --git a/src/applications/auth/controller/config/PhabricatorAuthNewController.php b/src/applications/auth/controller/config/PhabricatorAuthNewController.php index 1ce5926567..18b4429ea9 100644 --- a/src/applications/auth/controller/config/PhabricatorAuthNewController.php +++ b/src/applications/auth/controller/config/PhabricatorAuthNewController.php @@ -3,7 +3,9 @@ final class PhabricatorAuthNewController extends PhabricatorAuthProviderConfigController { - public function processRequest() { + public function handleRequest(AphrontRequest $request) { + $this->requireApplicationCapability( + AuthManageProvidersCapability::CAPABILITY); $request = $this->getRequest(); $viewer = $request->getUser(); diff --git a/src/applications/auth/controller/config/PhabricatorAuthProviderConfigController.php b/src/applications/auth/controller/config/PhabricatorAuthProviderConfigController.php index e09a6e49d1..a52b0195d1 100644 --- a/src/applications/auth/controller/config/PhabricatorAuthProviderConfigController.php +++ b/src/applications/auth/controller/config/PhabricatorAuthProviderConfigController.php @@ -3,10 +3,6 @@ abstract class PhabricatorAuthProviderConfigController extends PhabricatorAuthController { - public function shouldRequireAdmin() { - return true; - } - protected function buildSideNavView($for_app = false) { $nav = new AphrontSideNavFilterView(); $nav->setBaseURI(new PhutilURI($this->getApplicationURI())); @@ -27,10 +23,13 @@ abstract class PhabricatorAuthProviderConfigController protected function buildApplicationCrumbs() { $crumbs = parent::buildApplicationCrumbs(); + $can_create = $this->hasApplicationCapability( + AuthManageProvidersCapability::CAPABILITY); $crumbs->addAction( id(new PHUIListItemView()) ->setName(pht('Add Authentication Provider')) ->setHref($this->getApplicationURI('/config/new/')) + ->setDisabled(!$can_create) ->setIcon('fa-plus-square')); return $crumbs;