mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-21 04:50:55 +01:00
Add user omnipotence
Summary: Daemons (and probably a few other things) need to make queries without having a real user. Introduce a formal omnipotent user who can bypass any policy restriction. (I called this "ominpotent" rather than "omniscient" because it can bypass CAN_EDIT, CAN_JOIN, etc. "Omnicapable" might be a better word, but AFAIK is not a real word.) Test Plan: Unit tests. Reviewers: vrana, edward Reviewed By: edward CC: aran Maniphest Tasks: T603 Differential Revision: https://secure.phabricator.com/D5149
This commit is contained in:
parent
ea3472e87b
commit
57cce93e5a
3 changed files with 54 additions and 0 deletions
|
@ -26,6 +26,7 @@ final class PhabricatorUser extends PhabricatorUserDAO implements PhutilPerson {
|
|||
protected $isDisabled = 0;
|
||||
|
||||
private $preferences = null;
|
||||
private $omnipotent = false;
|
||||
|
||||
protected function readField($field) {
|
||||
switch ($field) {
|
||||
|
@ -661,4 +662,35 @@ EOBODY;
|
|||
$email->getUserPHID());
|
||||
}
|
||||
|
||||
|
||||
/* -( Omnipotence )-------------------------------------------------------- */
|
||||
|
||||
|
||||
/**
|
||||
* Returns true if this user is omnipotent. Omnipotent users bypass all policy
|
||||
* checks.
|
||||
*
|
||||
* @return bool True if the user bypasses policy checks.
|
||||
*/
|
||||
public function isOmnipotent() {
|
||||
return $this->omnipotent;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Get an omnipotent user object for use in contexts where there is no acting
|
||||
* user, notably daemons.
|
||||
*
|
||||
* @return PhabricatorUser An omnipotent user.
|
||||
*/
|
||||
public static function getOmnipotentUser() {
|
||||
static $user = null;
|
||||
if (!$user) {
|
||||
$user = new PhabricatorUser();
|
||||
$user->omnipotent = true;
|
||||
$user->makeEphemeral();
|
||||
}
|
||||
return $user;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -154,6 +154,24 @@ final class PhabricatorPolicyTestCase extends PhabricatorTestCase {
|
|||
}
|
||||
|
||||
|
||||
/**
|
||||
* Test that omnipotent users bypass policies.
|
||||
*/
|
||||
public function testOmnipotence() {
|
||||
$results = array(
|
||||
$this->buildObject(PhabricatorPolicies::POLICY_NOONE),
|
||||
);
|
||||
|
||||
$query = new PhabricatorPolicyAwareTestQuery();
|
||||
$query->setResults($results);
|
||||
$query->setViewer(PhabricatorUser::getOmnipotentUser());
|
||||
|
||||
$this->assertEqual(
|
||||
1,
|
||||
count($query->execute()));
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Test an object for visibility across multiple user specifications.
|
||||
*/
|
||||
|
|
|
@ -173,6 +173,10 @@ final class PhabricatorPolicyFilter {
|
|||
|
||||
$viewer = $this->viewer;
|
||||
|
||||
if ($viewer->isOmnipotent()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if ($object->hasAutomaticCapability($capability, $viewer)) {
|
||||
return true;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue