mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-18 19:40:55 +01:00
Save authorPHID on Passphrase Credentials to support "Credential Author" object policy
Summary: Fixes T5135. Currently, when you create a credential, we default the policies to your PHID. This means we can't have an application-level configurable default because there's no way to select "the actor's PHID" as a policy. Start tracking the credential author's PHID and add an object policy for it, so there is such a setting. Then, add policy defaults. This mostly unblocks T6787. This obsoletes T6860. Test Plan: - Created a credential with "Credential Author" policy. - Verified I can see/edit it, but other users can not. - Changed default policies to something else. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5135 Differential Revision: https://secure.phabricator.com/D13385
This commit is contained in:
epriestley
parent
bc6d0478b4
commit
85af4b01b9
7 changed files with 114 additions and 2 deletions
2
resources/sql/autopatches/20150621.phrase.1.sql
Normal file
2
resources/sql/autopatches/20150621.phrase.1.sql
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
ALTER TABLE {$NAMESPACE}_passphrase.passphrase_credential
|
||||
ADD authorPHID VARBINARY(64) NOT NULL;
|
||||
|
|
@ -1267,6 +1267,7 @@ phutil_register_library_map(array(
|
|||
'PassphraseConduitAPIMethod' => 'applications/passphrase/conduit/PassphraseConduitAPIMethod.php',
|
||||
'PassphraseController' => 'applications/passphrase/controller/PassphraseController.php',
|
||||
'PassphraseCredential' => 'applications/passphrase/storage/PassphraseCredential.php',
|
||||
'PassphraseCredentialAuthorPolicyRule' => 'applications/passphrase/policyrule/PassphraseCredentialAuthorPolicyRule.php',
|
||||
'PassphraseCredentialConduitController' => 'applications/passphrase/controller/PassphraseCredentialConduitController.php',
|
||||
'PassphraseCredentialControl' => 'applications/passphrase/view/PassphraseCredentialControl.php',
|
||||
'PassphraseCredentialCreateController' => 'applications/passphrase/controller/PassphraseCredentialCreateController.php',
|
||||
|
|
@ -1286,6 +1287,8 @@ phutil_register_library_map(array(
|
|||
'PassphraseCredentialTypeTestCase' => 'applications/passphrase/credentialtype/__tests__/PassphraseCredentialTypeTestCase.php',
|
||||
'PassphraseCredentialViewController' => 'applications/passphrase/controller/PassphraseCredentialViewController.php',
|
||||
'PassphraseDAO' => 'applications/passphrase/storage/PassphraseDAO.php',
|
||||
'PassphraseDefaultEditCapability' => 'applications/passphrase/capability/PassphraseDefaultEditCapability.php',
|
||||
'PassphraseDefaultViewCapability' => 'applications/passphrase/capability/PassphraseDefaultViewCapability.php',
|
||||
'PassphraseNoteCredentialType' => 'applications/passphrase/credentialtype/PassphraseNoteCredentialType.php',
|
||||
'PassphrasePasswordCredentialType' => 'applications/passphrase/credentialtype/PassphrasePasswordCredentialType.php',
|
||||
'PassphrasePasswordKey' => 'applications/passphrase/keys/PassphrasePasswordKey.php',
|
||||
|
|
@ -4779,6 +4782,7 @@ phutil_register_library_map(array(
|
|||
'PhabricatorPolicyInterface',
|
||||
'PhabricatorDestructibleInterface',
|
||||
),
|
||||
'PassphraseCredentialAuthorPolicyRule' => 'PhabricatorPolicyRule',
|
||||
'PassphraseCredentialConduitController' => 'PassphraseController',
|
||||
'PassphraseCredentialControl' => 'AphrontFormControl',
|
||||
'PassphraseCredentialCreateController' => 'PassphraseController',
|
||||
|
|
@ -4798,6 +4802,8 @@ phutil_register_library_map(array(
|
|||
'PassphraseCredentialTypeTestCase' => 'PhabricatorTestCase',
|
||||
'PassphraseCredentialViewController' => 'PassphraseController',
|
||||
'PassphraseDAO' => 'PhabricatorLiskDAO',
|
||||
'PassphraseDefaultEditCapability' => 'PhabricatorPolicyCapability',
|
||||
'PassphraseDefaultViewCapability' => 'PhabricatorPolicyCapability',
|
||||
'PassphraseNoteCredentialType' => 'PassphraseCredentialType',
|
||||
'PassphrasePasswordCredentialType' => 'PassphraseCredentialType',
|
||||
'PassphrasePasswordKey' => 'PassphraseAbstractKey',
|
||||
|
|
|
|||
|
|
@ -63,4 +63,22 @@ final class PhabricatorPassphraseApplication extends PhabricatorApplication {
|
|||
);
|
||||
}
|
||||
|
||||
protected function getCustomCapabilities() {
|
||||
$policy_key = id(new PassphraseCredentialAuthorPolicyRule())
|
||||
->getObjectPolicyFullKey();
|
||||
|
||||
return array(
|
||||
PassphraseDefaultViewCapability::CAPABILITY => array(
|
||||
'caption' => pht('Default view policy for newly created credentials.'),
|
||||
'template' => PassphraseCredentialPHIDType::TYPECONST,
|
||||
'default' => $policy_key,
|
||||
),
|
||||
PassphraseDefaultEditCapability::CAPABILITY => array(
|
||||
'caption' => pht('Default edit policy for newly created credentials.'),
|
||||
'template' => PassphraseCredentialPHIDType::TYPECONST,
|
||||
'default' => $policy_key,
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,12 @@
|
|||
<?php
|
||||
|
||||
final class PassphraseDefaultEditCapability
|
||||
extends PhabricatorPolicyCapability {
|
||||
|
||||
const CAPABILITY = 'passphrase.default.edit';
|
||||
|
||||
public function getCapabilityName() {
|
||||
return pht('Default Edit Policy');
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
<?php
|
||||
|
||||
final class PassphraseDefaultViewCapability
|
||||
extends PhabricatorPolicyCapability {
|
||||
|
||||
const CAPABILITY = 'passphrase.default.view';
|
||||
|
||||
public function getCapabilityName() {
|
||||
return pht('Default View Policy');
|
||||
}
|
||||
|
||||
public function shouldAllowPublicPolicySetting() {
|
||||
return true;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
<?php
|
||||
|
||||
final class PassphraseCredentialAuthorPolicyRule
|
||||
extends PhabricatorPolicyRule {
|
||||
|
||||
public function getObjectPolicyKey() {
|
||||
return 'passphrase.author';
|
||||
}
|
||||
|
||||
public function getObjectPolicyName() {
|
||||
return pht('Credential Author');
|
||||
}
|
||||
|
||||
public function getPolicyExplanation() {
|
||||
return pht('The author of this credential can take this action.');
|
||||
}
|
||||
|
||||
public function getRuleDescription() {
|
||||
return pht('credential author');
|
||||
}
|
||||
|
||||
public function canApplyToObject(PhabricatorPolicyInterface $object) {
|
||||
return ($object instanceof PassphraseCredential);
|
||||
}
|
||||
|
||||
public function applyRule(
|
||||
PhabricatorUser $viewer,
|
||||
$value,
|
||||
PhabricatorPolicyInterface $object) {
|
||||
|
||||
$author_phid = $object->getAuthorPHID();
|
||||
if (!$author_phid) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$viewer_phid = $viewer->getPHID();
|
||||
if (!$viewer_phid) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return ($viewer_phid == $author_phid);
|
||||
}
|
||||
|
||||
public function getValueControlType() {
|
||||
return self::CONTROL_TYPE_NONE;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -17,17 +17,27 @@ final class PassphraseCredential extends PassphraseDAO
|
|||
protected $isDestroyed;
|
||||
protected $isLocked = 0;
|
||||
protected $allowConduit = 0;
|
||||
protected $authorPHID;
|
||||
|
||||
private $secret = self::ATTACHABLE;
|
||||
|
||||
public static function initializeNewCredential(PhabricatorUser $actor) {
|
||||
$app = id(new PhabricatorApplicationQuery())
|
||||
->setViewer($actor)
|
||||
->withClasses(array('PhabricatorPassphraseApplication'))
|
||||
->executeOne();
|
||||
|
||||
$view_policy = $app->getPolicy(PassphraseDefaultViewCapability::CAPABILITY);
|
||||
$edit_policy = $app->getPolicy(PassphraseDefaultEditCapability::CAPABILITY);
|
||||
|
||||
return id(new PassphraseCredential())
|
||||
->setName('')
|
||||
->setUsername('')
|
||||
->setDescription('')
|
||||
->setIsDestroyed(0)
|
||||
->setViewPolicy($actor->getPHID())
|
||||
->setEditPolicy($actor->getPHID());
|
||||
->setAuthorPHID($actor->getPHID())
|
||||
->setViewPolicy($view_policy)
|
||||
->setEditPolicy($edit_policy);
|
||||
}
|
||||
|
||||
public function getMonogram() {
|
||||
|
|
|
|||
Loading…
Reference in a new issue