Allow logged-out users to load global preferences on installs without public viewers

Summary: Fixes T11946. When a logged-out viewer is loading a page on a non-public install, there are two policy issues which prevent them from loading global settings: - They can not see the Settings application itself. - They can not see the global settings object. Allow them to see Settings by making mandatory applications always visible. (This doesn't make any application pages public.) Allow them to see the global settings object explicitly. Test Plan: Changed default language, viewed logged-out page: {F2076924} Reviewers: chad Reviewed By: chad Maniphest Tasks: T11946 Differential Revision: https://secure.phabricator.com/D16983
2024-11-18 21:02:41 +01:00 · 2016-12-05 08:54:15 -08:00 · 2016-12-05 08:54:15 -08:00 · 5f593aafb1
commit 5f593aafb1
parent f0bf0419f1
2 changed files with 20 additions and 4 deletions
--- a/src/applications/base/PhabricatorApplication.php
+++ b/src/applications/base/PhabricatorApplication.php
@ -437,10 +437,19 @@ abstract class PhabricatorApplication
      if (!self::isClassInstalled($class)) {
        $result = false;
      } else {
-        $result = PhabricatorPolicyFilter::hasCapability(
-          $viewer,
-          self::getByClass($class),
-          PhabricatorPolicyCapability::CAN_VIEW);
+        $application = self::getByClass($class);
+        if (!$application->canUninstall()) {
+          // If the application can not be uninstalled, always allow viewers
+          // to see it. In particular, this allows logged-out viewers to see
+          // Settings and load global default settings even if the install
+          // does not allow public viewers.
+          $result = true;
+        } else {
+          $result = PhabricatorPolicyFilter::hasCapability(
+            $viewer,
+            self::getByClass($class),
+            PhabricatorPolicyCapability::CAN_VIEW);
+        }
      }

      $cache->setKey($key, $result);
--- a/src/applications/settings/storage/PhabricatorUserPreferences.php
+++ b/src/applications/settings/storage/PhabricatorUserPreferences.php
@ -219,6 +219,13 @@ final class PhabricatorUserPreferences
      }
    }

+    switch ($this->getBuiltinKey()) {
+      case self::BUILTIN_GLOBAL_DEFAULT:
+        // NOTE: Without this policy exception, the logged-out viewer can not
+        // see global preferences.
+        return true;
+    }
+
    return false;
  }