1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-27 15:08:20 +01:00

Save authorPHID on Passphrase Credentials to support "Credential Author" object policy

Summary:
Fixes T5135. Currently, when you create a credential, we default the policies to your PHID. This means we can't have an application-level configurable default because there's no way to select "the actor's PHID" as a policy.

Start tracking the credential author's PHID and add an object policy for it, so there is such a setting.

Then, add policy defaults.

This mostly unblocks T6787. This obsoletes T6860.

Test Plan:
  - Created a credential with "Credential Author" policy.
  - Verified I can see/edit it, but other users can not.
  - Changed default policies to something else.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5135

Differential Revision: https://secure.phabricator.com/D13385
This commit is contained in:
epriestley 2015-06-22 11:28:33 -07:00
parent bc6d0478b4
commit 85af4b01b9
7 changed files with 114 additions and 2 deletions

View file

@ -0,0 +1,2 @@
ALTER TABLE {$NAMESPACE}_passphrase.passphrase_credential
ADD authorPHID VARBINARY(64) NOT NULL;

View file

@ -1267,6 +1267,7 @@ phutil_register_library_map(array(
'PassphraseConduitAPIMethod' => 'applications/passphrase/conduit/PassphraseConduitAPIMethod.php',
'PassphraseController' => 'applications/passphrase/controller/PassphraseController.php',
'PassphraseCredential' => 'applications/passphrase/storage/PassphraseCredential.php',
'PassphraseCredentialAuthorPolicyRule' => 'applications/passphrase/policyrule/PassphraseCredentialAuthorPolicyRule.php',
'PassphraseCredentialConduitController' => 'applications/passphrase/controller/PassphraseCredentialConduitController.php',
'PassphraseCredentialControl' => 'applications/passphrase/view/PassphraseCredentialControl.php',
'PassphraseCredentialCreateController' => 'applications/passphrase/controller/PassphraseCredentialCreateController.php',
@ -1286,6 +1287,8 @@ phutil_register_library_map(array(
'PassphraseCredentialTypeTestCase' => 'applications/passphrase/credentialtype/__tests__/PassphraseCredentialTypeTestCase.php',
'PassphraseCredentialViewController' => 'applications/passphrase/controller/PassphraseCredentialViewController.php',
'PassphraseDAO' => 'applications/passphrase/storage/PassphraseDAO.php',
'PassphraseDefaultEditCapability' => 'applications/passphrase/capability/PassphraseDefaultEditCapability.php',
'PassphraseDefaultViewCapability' => 'applications/passphrase/capability/PassphraseDefaultViewCapability.php',
'PassphraseNoteCredentialType' => 'applications/passphrase/credentialtype/PassphraseNoteCredentialType.php',
'PassphrasePasswordCredentialType' => 'applications/passphrase/credentialtype/PassphrasePasswordCredentialType.php',
'PassphrasePasswordKey' => 'applications/passphrase/keys/PassphrasePasswordKey.php',
@ -4779,6 +4782,7 @@ phutil_register_library_map(array(
'PhabricatorPolicyInterface',
'PhabricatorDestructibleInterface',
),
'PassphraseCredentialAuthorPolicyRule' => 'PhabricatorPolicyRule',
'PassphraseCredentialConduitController' => 'PassphraseController',
'PassphraseCredentialControl' => 'AphrontFormControl',
'PassphraseCredentialCreateController' => 'PassphraseController',
@ -4798,6 +4802,8 @@ phutil_register_library_map(array(
'PassphraseCredentialTypeTestCase' => 'PhabricatorTestCase',
'PassphraseCredentialViewController' => 'PassphraseController',
'PassphraseDAO' => 'PhabricatorLiskDAO',
'PassphraseDefaultEditCapability' => 'PhabricatorPolicyCapability',
'PassphraseDefaultViewCapability' => 'PhabricatorPolicyCapability',
'PassphraseNoteCredentialType' => 'PassphraseCredentialType',
'PassphrasePasswordCredentialType' => 'PassphraseCredentialType',
'PassphrasePasswordKey' => 'PassphraseAbstractKey',

View file

@ -63,4 +63,22 @@ final class PhabricatorPassphraseApplication extends PhabricatorApplication {
);
}
protected function getCustomCapabilities() {
$policy_key = id(new PassphraseCredentialAuthorPolicyRule())
->getObjectPolicyFullKey();
return array(
PassphraseDefaultViewCapability::CAPABILITY => array(
'caption' => pht('Default view policy for newly created credentials.'),
'template' => PassphraseCredentialPHIDType::TYPECONST,
'default' => $policy_key,
),
PassphraseDefaultEditCapability::CAPABILITY => array(
'caption' => pht('Default edit policy for newly created credentials.'),
'template' => PassphraseCredentialPHIDType::TYPECONST,
'default' => $policy_key,
),
);
}
}

View file

@ -0,0 +1,12 @@
<?php
final class PassphraseDefaultEditCapability
extends PhabricatorPolicyCapability {
const CAPABILITY = 'passphrase.default.edit';
public function getCapabilityName() {
return pht('Default Edit Policy');
}
}

View file

@ -0,0 +1,16 @@
<?php
final class PassphraseDefaultViewCapability
extends PhabricatorPolicyCapability {
const CAPABILITY = 'passphrase.default.view';
public function getCapabilityName() {
return pht('Default View Policy');
}
public function shouldAllowPublicPolicySetting() {
return true;
}
}

View file

@ -0,0 +1,48 @@
<?php
final class PassphraseCredentialAuthorPolicyRule
extends PhabricatorPolicyRule {
public function getObjectPolicyKey() {
return 'passphrase.author';
}
public function getObjectPolicyName() {
return pht('Credential Author');
}
public function getPolicyExplanation() {
return pht('The author of this credential can take this action.');
}
public function getRuleDescription() {
return pht('credential author');
}
public function canApplyToObject(PhabricatorPolicyInterface $object) {
return ($object instanceof PassphraseCredential);
}
public function applyRule(
PhabricatorUser $viewer,
$value,
PhabricatorPolicyInterface $object) {
$author_phid = $object->getAuthorPHID();
if (!$author_phid) {
return false;
}
$viewer_phid = $viewer->getPHID();
if (!$viewer_phid) {
return false;
}
return ($viewer_phid == $author_phid);
}
public function getValueControlType() {
return self::CONTROL_TYPE_NONE;
}
}

View file

@ -17,17 +17,27 @@ final class PassphraseCredential extends PassphraseDAO
protected $isDestroyed;
protected $isLocked = 0;
protected $allowConduit = 0;
protected $authorPHID;
private $secret = self::ATTACHABLE;
public static function initializeNewCredential(PhabricatorUser $actor) {
$app = id(new PhabricatorApplicationQuery())
->setViewer($actor)
->withClasses(array('PhabricatorPassphraseApplication'))
->executeOne();
$view_policy = $app->getPolicy(PassphraseDefaultViewCapability::CAPABILITY);
$edit_policy = $app->getPolicy(PassphraseDefaultEditCapability::CAPABILITY);
return id(new PassphraseCredential())
->setName('')
->setUsername('')
->setDescription('')
->setIsDestroyed(0)
->setViewPolicy($actor->getPHID())
->setEditPolicy($actor->getPHID());
->setAuthorPHID($actor->getPHID())
->setViewPolicy($view_policy)
->setEditPolicy($edit_policy);
}
public function getMonogram() {