Make more Diffusion controllers/views capability-sensitive

Summary:
Ref T603. I got most of this earlier, but finish it up.

  - Make a couple of controllers public; pretty much everything in Diffusion has implicit policy checks as a result of building a `DiffusionRequest`.
  - Add an "Edit" capability to commits.
  - Swap out the comment thing for commits.
  - Disable actions if the user can't take them.

Test Plan: Viewed a bunch of interfaces while logged out, got appropriate results or roadblocks.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7152

src/applications/diffusion/controller/DiffusionCommitBranchesController.php

@@ -2,6 +2,10 @@
 
 final class DiffusionCommitBranchesController extends DiffusionController {
 
+  public function shouldAllowPublic() {
+    return true;
+  }
+
   public function willProcessRequest(array $data) {
     $data['user'] = $this->getRequest()->getUser();
     $this->diffusionRequest = DiffusionRequest::newFromDictionary($data);

src/applications/diffusion/controller/DiffusionCommitController.php

@@ -7,6 +7,10 @@ final class DiffusionCommitController extends DiffusionController {
   private $auditAuthorityPHIDs;
   private $highlightedAudits;
 
+  public function shouldAllowPublic() {
+    return true;
+  }
+
   public function willProcessRequest(array $data) {
     // This controller doesn't use blob/path stuff, just pass the dictionary
     // in directly instead of using the AphrontRequest parsing mechanism.
@@ -609,7 +613,15 @@ final class DiffusionCommitController extends DiffusionController {
     PhabricatorRepositoryCommit $commit,
     array $audit_requests) {
     assert_instances_of($audit_requests, 'PhabricatorRepositoryAuditRequest');
-    $user = $this->getRequest()->getUser();
+
+    $request = $this->getRequest();
+    $user = $request->getUser();
+
+    if (!$user->isLoggedIn()) {
+      return id(new PhabricatorApplicationTransactionCommentView())
+        ->setUser($user)
+        ->setRequestURI($request->getRequestURI());
+    }
 
     $is_serious = PhabricatorEnv::getEnvConfig('phabricator.serious-business');
 
@@ -881,14 +893,20 @@ final class DiffusionCommitController extends DiffusionController {
       ->setObject($commit)
       ->setObjectURI($request->getRequestURI());
 
-    // TODO -- integrate permissions into whether or not this action is shown
-    $uri = '/diffusion/'.$repository->getCallSign().'/commit/'.
+    $can_edit = PhabricatorPolicyFilter::hasCapability(
+      $user,
+      $commit,
+      PhabricatorPolicyCapability::CAN_EDIT);
+
+    $uri = '/diffusion/'.$repository->getCallsign().'/commit/'.
            $commit->getCommitIdentifier().'/edit/';
 
     $action = id(new PhabricatorActionView())
       ->setName(pht('Edit Commit'))
       ->setHref($uri)
-      ->setIcon('edit');
+      ->setIcon('edit')
+      ->setDisabled(!$can_edit)
+      ->setWorkflow(!$can_edit);
     $actions->addAction($action);
 
     require_celerity_resource('phabricator-object-selector-css');
@@ -900,7 +918,8 @@ final class DiffusionCommitController extends DiffusionController {
         ->setName(pht('Edit Maniphest Tasks'))
         ->setIcon('attach')
         ->setHref('/search/attach/'.$commit->getPHID().'/TASK/edge/')
-        ->setWorkflow(true);
+        ->setWorkflow(true)
+        ->setDisabled(!$can_edit);
       $actions->addAction($action);
     }
 

src/applications/diffusion/controller/DiffusionCommitTagsController.php

@@ -2,6 +2,10 @@
 
 final class DiffusionCommitTagsController extends DiffusionController {
 
+  public function shouldAllowPublic() {
+    return true;
+  }
+
   public function willProcessRequest(array $data) {
     $data['user'] = $this->getRequest()->getUser();
     $this->diffusionRequest = DiffusionRequest::newFromDictionary($data);

src/applications/diffusion/controller/DiffusionExternalController.php

@@ -6,6 +6,10 @@ final class DiffusionExternalController extends DiffusionController {
     // Don't build a DiffusionRequest.
   }
 
+  public function shouldAllowPublic() {
+    return true;
+  }
+
   public function processRequest() {
     $request = $this->getRequest();
 

src/applications/diffusion/controller/DiffusionLastModifiedController.php

@@ -2,6 +2,10 @@
 
 final class DiffusionLastModifiedController extends DiffusionController {
 
+  public function shouldAllowPublic() {
+    return true;
+  }
+
   public function processRequest() {
     $drequest = $this->getDiffusionRequest();
     $request = $this->getRequest();

src/applications/diffusion/request/DiffusionRequest.php

@@ -271,10 +271,13 @@ abstract class DiffusionRequest {
     if (empty($this->repositoryCommit)) {
       $repository = $this->getRepository();
 
+      // TODO: (T603) This should be a real query, but we need to sort out
+      // the viewer.
       $commit = id(new PhabricatorRepositoryCommit())->loadOneWhere(
         'repositoryID = %d AND commitIdentifier = %s',
         $repository->getID(),
         $this->getCommit());
+      $commit->attachRepository($repository);
       $this->repositoryCommit = $commit;
     }
     return $this->repositoryCommit;

src/applications/repository/storage/PhabricatorRepositoryCommit.php

@@ -156,11 +156,19 @@ final class PhabricatorRepositoryCommit
   public function getCapabilities() {
     return array(
       PhabricatorPolicyCapability::CAN_VIEW,
+      PhabricatorPolicyCapability::CAN_EDIT,
     );
   }
 
   public function getPolicy($capability) {
-    return $this->getRepository()->getPolicy($capability);
+    switch ($capability) {
+      case PhabricatorPolicyCapability::CAN_VIEW:
+        return $this->getRepository()->getPolicy($capability);
+      case PhabricatorPolicyCapability::CAN_EDIT:
+        // TODO: (T603) Who should be able to edit a commit? For now, retain
+        // the existing policy.
+        return PhabricatorPolicies::POLICY_USER;
+    }
   }
 
   public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {