When users encounter a policy exception for a non-view capability with a custom policy, inline the policy rules

Summary: Fixes T13411. This looks like the last case where you hit a policy explanation and have permission to see the policy, but we don't currently show you the policy rules. This implementation is slightly clumsy, but likely harmless. Test Plan: {F6856421} Maniphest Tasks: T13411 Differential Revision: https://secure.phabricator.com/D20807
2024-11-22 14:52:41 +01:00 · 2019-09-12 09:28:56 -07:00 · 2019-09-12 09:28:56 -07:00 · 4f845d8f8c
commit 4f845d8f8c
parent 0c7ea8c942
1 changed files with 38 additions and 7 deletions
--- a/src/applications/policy/filter/PhabricatorPolicyFilter.php
+++ b/src/applications/policy/filter/PhabricatorPolicyFilter.php
@ -653,14 +653,42 @@ final class PhabricatorPolicyFilter extends Phobject {
        $view_capability);
    }

+    // TODO: This is a bit clumsy. We're producing HTML and text versions of
+    // this message, but can't render the full policy rules in text today.
+    // Users almost never get a text-only version of this exception anyway.
+
+    $head = null;
+    $more = null;
+
    if ($show_details) {
-      $more = PhabricatorPolicy::getPolicyExplanation($viewer, $policy);
+      $head = PhabricatorPolicy::getPolicyExplanation($viewer, $policy);
+
+      $policy_type = PhabricatorPolicyPHIDTypePolicy::TYPECONST;
+      $is_custom = (phid_get_type($policy) === $policy_type);
+      if ($is_custom) {
+        $policy_map = PhabricatorPolicyQuery::loadPolicies(
+          $viewer,
+          $object);
+        if (isset($policy_map[$capability])) {
+          require_celerity_resource('phui-policy-section-view-css');
+
+          $more = id(new PhabricatorPolicyRulesView())
+            ->setViewer($viewer)
+            ->setPolicy($policy_map[$capability]);
+
+          $more = phutil_tag(
+            'div',
+            array(
+              'class' => 'phui-policy-section-view-rules',
+            ),
+            $more);
+        }
+      }
    } else {
-      $more = PhabricatorPolicy::getOpaquePolicyExplanation($viewer, $policy);
+      $head = PhabricatorPolicy::getOpaquePolicyExplanation($viewer, $policy);
    }

-    $more = (array)$more;
-    $more = array_filter($more);
+    $head = (array)$head;

    $exceptions = PhabricatorPolicy::getSpecialRules(
      $object,
@ -668,7 +696,10 @@ final class PhabricatorPolicyFilter extends Phobject {
      $capability,
      true);

-    $details = array_filter(array_merge($more, $exceptions));
+    $text_details = array_filter(array_merge($head, $exceptions));
+    $text_details = implode(' ', $text_details);
+
+    $html_details = array($head, $more, $exceptions);

    $access_denied = $this->renderAccessDenied($object);

@ -677,7 +708,7 @@ final class PhabricatorPolicyFilter extends Phobject {
      $access_denied,
      $capability_name,
      $rejection,
-      implode(' ', $details));
+      $text_details);

    $exception = id(new PhabricatorPolicyException($full_message))
      ->setTitle($access_denied)
@ -685,7 +716,7 @@ final class PhabricatorPolicyFilter extends Phobject {
      ->setRejection($rejection)
      ->setCapability($capability)
      ->setCapabilityName($capability_name)
-      ->setMoreInfo($details);
+      ->setMoreInfo($html_details);

    throw $exception;
  }