1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-21 22:32:41 +01:00

Add Diffusion policy capability "Can Edit and View Identities"

Summary:
Make it possible not to allow anyone to edit Diffusion identities.
Make it possible not to allow anyone to view other users' email addresses.

Closes T15443

Test Plan:
* As an admin, go to `/applications/view/PhabricatorDiffusionApplication/` and see new policy "Can Edit and View Identities" set to "All Users" (as implicitly before)
* As an admin, go to `/applications/view/PhabricatorDiffusionApplication/` and change "Can Edit and View Identities" from "All Users" to "Administrators"
* As a non-admin, go to `/diffusion/identity/` and try to select the disabled "Create Identity" button; get an error message clicking it due to lack of permissions
* Given there is at least one identity defined, as a non-admin, go directly to `/diffusion/identity/view/1/` and get "You do not have permission to view this object."
* Given there is at least one identity defined, as a non-admin, go directly to `/diffusion/identity/edit/1/` and get "You do not have permission to view this object."
* As a non-admin, go directly to `/diffusion/identity/edit/form/default/` and get "You do not have permission to edit this object."
* As a non-admin, go directly to `/diffusion/identity/` and get "No Identities found." instead of seeing the existing identities listed.
* As an admin, go to `/diffusion/identity/` and still see the existing identities listed.
* As an admin, go to `/diffusion/identity/`, select "Create Identity" to go to `/diffusion/identity/edit/` and see the "Create Identity" page (though broken; see T15453)
* As an admin, go to `/diffusion/identity/view/1/` and still see the existing identity.
* As an admin, go to `/diffusion/identity/edit/1/` and successfully edit the existing identity.

Reviewers: O1 Blessed Committers, speck, valerio.bozzolan

Reviewed By: O1 Blessed Committers, speck, valerio.bozzolan

Subscribers: speck, tobiaswiese, valerio.bozzolan, Matthew, Cigaryno

Maniphest Tasks: T15443

Differential Revision: https://we.phorge.it/D25450
This commit is contained in:
Andre Klapper 2023-10-26 21:26:11 +02:00
parent c97a50472c
commit 90f651d669
5 changed files with 27 additions and 2 deletions

View file

@ -4628,6 +4628,7 @@ phutil_register_library_map(array(
'PhabricatorRepositoryIdentityAssignTransaction' => 'applications/repository/xaction/PhabricatorRepositoryIdentityAssignTransaction.php',
'PhabricatorRepositoryIdentityChangeWorker' => 'applications/repository/worker/PhabricatorRepositoryIdentityChangeWorker.php',
'PhabricatorRepositoryIdentityEditEngine' => 'applications/repository/engine/PhabricatorRepositoryIdentityEditEngine.php',
'PhabricatorRepositoryIdentityEditViewCapability' => 'applications/repository/capability/PhabricatorRepositoryIdentityEditViewCapability.php',
'PhabricatorRepositoryIdentityFerretEngine' => 'applications/repository/search/PhabricatorRepositoryIdentityFerretEngine.php',
'PhabricatorRepositoryIdentityPHIDType' => 'applications/repository/phid/PhabricatorRepositoryIdentityPHIDType.php',
'PhabricatorRepositoryIdentityQuery' => 'applications/repository/query/PhabricatorRepositoryIdentityQuery.php',
@ -11325,6 +11326,7 @@ phutil_register_library_map(array(
'PhabricatorRepositoryIdentityAssignTransaction' => 'PhabricatorRepositoryIdentityTransactionType',
'PhabricatorRepositoryIdentityChangeWorker' => 'PhabricatorWorker',
'PhabricatorRepositoryIdentityEditEngine' => 'PhabricatorEditEngine',
'PhabricatorRepositoryIdentityEditViewCapability' => 'PhabricatorPolicyCapability',
'PhabricatorRepositoryIdentityFerretEngine' => 'PhabricatorFerretEngine',
'PhabricatorRepositoryIdentityPHIDType' => 'PhabricatorPHIDType',
'PhabricatorRepositoryIdentityQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',

View file

@ -183,6 +183,9 @@ final class PhabricatorDiffusionApplication extends PhabricatorApplication {
DiffusionCreateRepositoriesCapability::CAPABILITY => array(
'default' => PhabricatorPolicies::POLICY_ADMIN,
),
PhabricatorRepositoryIdentityEditViewCapability::CAPABILITY => array(
'default' => PhabricatorPolicies::POLICY_USER,
),
);
}

View file

@ -0,0 +1,16 @@
<?php
final class PhabricatorRepositoryIdentityEditViewCapability
extends PhabricatorPolicyCapability {
const CAPABILITY = 'repository.identity.create';
public function getCapabilityName() {
return pht('Can Edit and View Identities');
}
public function describeCapabilityRejection() {
return pht('You do not have permission to create or edit identities.');
}
}

View file

@ -70,7 +70,8 @@ final class PhabricatorRepositoryIdentityEditEngine
}
protected function getCreateNewObjectPolicy() {
return PhabricatorPolicies::POLICY_USER;
return $this->getApplication()->getPolicy(
PhabricatorRepositoryIdentityEditViewCapability::CAPABILITY);
}
protected function buildCustomEditFields($object) {

View file

@ -142,7 +142,10 @@ final class PhabricatorRepositoryIdentity
}
public function getPolicy($capability) {
return PhabricatorPolicies::getMostOpenPolicy();
$app = PhabricatorApplication::getByClass(
'PhabricatorDiffusionApplication');
return $app->getPolicy(
PhabricatorRepositoryIdentityEditViewCapability::CAPABILITY);
}
public function hasAutomaticCapability(