From 85af4b01b962445d0628a4f1147eed38a52e1a3c Mon Sep 17 00:00:00 2001 From: epriestley Date: Mon, 22 Jun 2015 11:28:33 -0700 Subject: [PATCH] Save authorPHID on Passphrase Credentials to support "Credential Author" object policy Summary: Fixes T5135. Currently, when you create a credential, we default the policies to your PHID. This means we can't have an application-level configurable default because there's no way to select "the actor's PHID" as a policy. Start tracking the credential author's PHID and add an object policy for it, so there is such a setting. Then, add policy defaults. This mostly unblocks T6787. This obsoletes T6860. Test Plan: - Created a credential with "Credential Author" policy. - Verified I can see/edit it, but other users can not. - Changed default policies to something else. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5135 Differential Revision: https://secure.phabricator.com/D13385 --- .../sql/autopatches/20150621.phrase.1.sql | 2 + src/__phutil_library_map__.php | 6 +++ .../PhabricatorPassphraseApplication.php | 18 +++++++ .../PassphraseDefaultEditCapability.php | 12 +++++ .../PassphraseDefaultViewCapability.php | 16 +++++++ .../PassphraseCredentialAuthorPolicyRule.php | 48 +++++++++++++++++++ .../storage/PassphraseCredential.php | 14 +++++- 7 files changed, 114 insertions(+), 2 deletions(-) create mode 100644 resources/sql/autopatches/20150621.phrase.1.sql create mode 100644 src/applications/passphrase/capability/PassphraseDefaultEditCapability.php create mode 100644 src/applications/passphrase/capability/PassphraseDefaultViewCapability.php create mode 100644 src/applications/passphrase/policyrule/PassphraseCredentialAuthorPolicyRule.php diff --git a/resources/sql/autopatches/20150621.phrase.1.sql b/resources/sql/autopatches/20150621.phrase.1.sql new file mode 100644 index 0000000000..323b2b2208 --- /dev/null +++ b/resources/sql/autopatches/20150621.phrase.1.sql @@ -0,0 +1,2 @@ +ALTER TABLE {$NAMESPACE}_passphrase.passphrase_credential + ADD authorPHID VARBINARY(64) NOT NULL; diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php index fa5272bb32..61fa9d03bb 100644 --- a/src/__phutil_library_map__.php +++ b/src/__phutil_library_map__.php @@ -1267,6 +1267,7 @@ phutil_register_library_map(array( 'PassphraseConduitAPIMethod' => 'applications/passphrase/conduit/PassphraseConduitAPIMethod.php', 'PassphraseController' => 'applications/passphrase/controller/PassphraseController.php', 'PassphraseCredential' => 'applications/passphrase/storage/PassphraseCredential.php', + 'PassphraseCredentialAuthorPolicyRule' => 'applications/passphrase/policyrule/PassphraseCredentialAuthorPolicyRule.php', 'PassphraseCredentialConduitController' => 'applications/passphrase/controller/PassphraseCredentialConduitController.php', 'PassphraseCredentialControl' => 'applications/passphrase/view/PassphraseCredentialControl.php', 'PassphraseCredentialCreateController' => 'applications/passphrase/controller/PassphraseCredentialCreateController.php', @@ -1286,6 +1287,8 @@ phutil_register_library_map(array( 'PassphraseCredentialTypeTestCase' => 'applications/passphrase/credentialtype/__tests__/PassphraseCredentialTypeTestCase.php', 'PassphraseCredentialViewController' => 'applications/passphrase/controller/PassphraseCredentialViewController.php', 'PassphraseDAO' => 'applications/passphrase/storage/PassphraseDAO.php', + 'PassphraseDefaultEditCapability' => 'applications/passphrase/capability/PassphraseDefaultEditCapability.php', + 'PassphraseDefaultViewCapability' => 'applications/passphrase/capability/PassphraseDefaultViewCapability.php', 'PassphraseNoteCredentialType' => 'applications/passphrase/credentialtype/PassphraseNoteCredentialType.php', 'PassphrasePasswordCredentialType' => 'applications/passphrase/credentialtype/PassphrasePasswordCredentialType.php', 'PassphrasePasswordKey' => 'applications/passphrase/keys/PassphrasePasswordKey.php', @@ -4779,6 +4782,7 @@ phutil_register_library_map(array( 'PhabricatorPolicyInterface', 'PhabricatorDestructibleInterface', ), + 'PassphraseCredentialAuthorPolicyRule' => 'PhabricatorPolicyRule', 'PassphraseCredentialConduitController' => 'PassphraseController', 'PassphraseCredentialControl' => 'AphrontFormControl', 'PassphraseCredentialCreateController' => 'PassphraseController', @@ -4798,6 +4802,8 @@ phutil_register_library_map(array( 'PassphraseCredentialTypeTestCase' => 'PhabricatorTestCase', 'PassphraseCredentialViewController' => 'PassphraseController', 'PassphraseDAO' => 'PhabricatorLiskDAO', + 'PassphraseDefaultEditCapability' => 'PhabricatorPolicyCapability', + 'PassphraseDefaultViewCapability' => 'PhabricatorPolicyCapability', 'PassphraseNoteCredentialType' => 'PassphraseCredentialType', 'PassphrasePasswordCredentialType' => 'PassphraseCredentialType', 'PassphrasePasswordKey' => 'PassphraseAbstractKey', diff --git a/src/applications/passphrase/application/PhabricatorPassphraseApplication.php b/src/applications/passphrase/application/PhabricatorPassphraseApplication.php index df21ba8be1..92e9abe9d0 100644 --- a/src/applications/passphrase/application/PhabricatorPassphraseApplication.php +++ b/src/applications/passphrase/application/PhabricatorPassphraseApplication.php @@ -63,4 +63,22 @@ final class PhabricatorPassphraseApplication extends PhabricatorApplication { ); } + protected function getCustomCapabilities() { + $policy_key = id(new PassphraseCredentialAuthorPolicyRule()) + ->getObjectPolicyFullKey(); + + return array( + PassphraseDefaultViewCapability::CAPABILITY => array( + 'caption' => pht('Default view policy for newly created credentials.'), + 'template' => PassphraseCredentialPHIDType::TYPECONST, + 'default' => $policy_key, + ), + PassphraseDefaultEditCapability::CAPABILITY => array( + 'caption' => pht('Default edit policy for newly created credentials.'), + 'template' => PassphraseCredentialPHIDType::TYPECONST, + 'default' => $policy_key, + ), + ); + } + } diff --git a/src/applications/passphrase/capability/PassphraseDefaultEditCapability.php b/src/applications/passphrase/capability/PassphraseDefaultEditCapability.php new file mode 100644 index 0000000000..0b80782698 --- /dev/null +++ b/src/applications/passphrase/capability/PassphraseDefaultEditCapability.php @@ -0,0 +1,12 @@ +getAuthorPHID(); + if (!$author_phid) { + return false; + } + + $viewer_phid = $viewer->getPHID(); + if (!$viewer_phid) { + return false; + } + + return ($viewer_phid == $author_phid); + } + + public function getValueControlType() { + return self::CONTROL_TYPE_NONE; + } + +} diff --git a/src/applications/passphrase/storage/PassphraseCredential.php b/src/applications/passphrase/storage/PassphraseCredential.php index b867323f53..b2977a9c3b 100644 --- a/src/applications/passphrase/storage/PassphraseCredential.php +++ b/src/applications/passphrase/storage/PassphraseCredential.php @@ -17,17 +17,27 @@ final class PassphraseCredential extends PassphraseDAO protected $isDestroyed; protected $isLocked = 0; protected $allowConduit = 0; + protected $authorPHID; private $secret = self::ATTACHABLE; public static function initializeNewCredential(PhabricatorUser $actor) { + $app = id(new PhabricatorApplicationQuery()) + ->setViewer($actor) + ->withClasses(array('PhabricatorPassphraseApplication')) + ->executeOne(); + + $view_policy = $app->getPolicy(PassphraseDefaultViewCapability::CAPABILITY); + $edit_policy = $app->getPolicy(PassphraseDefaultEditCapability::CAPABILITY); + return id(new PassphraseCredential()) ->setName('') ->setUsername('') ->setDescription('') ->setIsDestroyed(0) - ->setViewPolicy($actor->getPHID()) - ->setEditPolicy($actor->getPHID()); + ->setAuthorPHID($actor->getPHID()) + ->setViewPolicy($view_policy) + ->setEditPolicy($edit_policy); } public function getMonogram() {