From 90f651d669e447f6263574eea672827503f7b6d3 Mon Sep 17 00:00:00 2001
From: Andre Klapper <a9016009@gmx.de>
Date: Thu, 26 Oct 2023 21:26:11 +0200
Subject: [PATCH] Add Diffusion policy capability "Can Edit and View
 Identities"

Summary:
Make it possible not to allow anyone to edit Diffusion identities.
Make it possible not to allow anyone to view other users' email addresses.

Closes T15443

Test Plan:
* As an admin, go to `/applications/view/PhabricatorDiffusionApplication/` and see new policy "Can Edit and View Identities" set to "All Users" (as implicitly before)
* As an admin, go to `/applications/view/PhabricatorDiffusionApplication/` and change "Can Edit and View Identities" from "All Users" to "Administrators"
* As a non-admin, go to `/diffusion/identity/` and try to select the disabled "Create Identity" button; get an error message clicking it due to lack of permissions
* Given there is at least one identity defined, as a non-admin, go directly to `/diffusion/identity/view/1/` and get "You do not have permission to view this object."
* Given there is at least one identity defined, as a non-admin, go directly to `/diffusion/identity/edit/1/` and get "You do not have permission to view this object."
* As a non-admin, go directly to `/diffusion/identity/edit/form/default/` and get "You do not have permission to edit this object."
* As a non-admin, go directly to `/diffusion/identity/` and get "No Identities found." instead of seeing the existing identities listed.
* As an admin, go to `/diffusion/identity/` and still see the existing identities listed.
* As an admin, go to `/diffusion/identity/`, select "Create Identity" to go to `/diffusion/identity/edit/` and see the "Create Identity" page (though broken; see T15453)
* As an admin, go to `/diffusion/identity/view/1/` and still see the existing identity.
* As an admin, go to `/diffusion/identity/edit/1/` and successfully edit the existing identity.

Reviewers: O1 Blessed Committers, speck, valerio.bozzolan

Reviewed By: O1 Blessed Committers, speck, valerio.bozzolan

Subscribers: speck, tobiaswiese, valerio.bozzolan, Matthew, Cigaryno

Maniphest Tasks: T15443

Differential Revision: https://we.phorge.it/D25450
---
 src/__phutil_library_map__.php                   |  2 ++
 .../PhabricatorDiffusionApplication.php          |  3 +++
 ...catorRepositoryIdentityEditViewCapability.php | 16 ++++++++++++++++
 .../PhabricatorRepositoryIdentityEditEngine.php  |  3 ++-
 .../storage/PhabricatorRepositoryIdentity.php    |  5 ++++-
 5 files changed, 27 insertions(+), 2 deletions(-)
 create mode 100644 src/applications/repository/capability/PhabricatorRepositoryIdentityEditViewCapability.php

diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php
index d223f47515..ad0d8fc937 100644
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@@ -4628,6 +4628,7 @@ phutil_register_library_map(array(
     'PhabricatorRepositoryIdentityAssignTransaction' => 'applications/repository/xaction/PhabricatorRepositoryIdentityAssignTransaction.php',
     'PhabricatorRepositoryIdentityChangeWorker' => 'applications/repository/worker/PhabricatorRepositoryIdentityChangeWorker.php',
     'PhabricatorRepositoryIdentityEditEngine' => 'applications/repository/engine/PhabricatorRepositoryIdentityEditEngine.php',
+    'PhabricatorRepositoryIdentityEditViewCapability' => 'applications/repository/capability/PhabricatorRepositoryIdentityEditViewCapability.php',
     'PhabricatorRepositoryIdentityFerretEngine' => 'applications/repository/search/PhabricatorRepositoryIdentityFerretEngine.php',
     'PhabricatorRepositoryIdentityPHIDType' => 'applications/repository/phid/PhabricatorRepositoryIdentityPHIDType.php',
     'PhabricatorRepositoryIdentityQuery' => 'applications/repository/query/PhabricatorRepositoryIdentityQuery.php',
@@ -11325,6 +11326,7 @@ phutil_register_library_map(array(
     'PhabricatorRepositoryIdentityAssignTransaction' => 'PhabricatorRepositoryIdentityTransactionType',
     'PhabricatorRepositoryIdentityChangeWorker' => 'PhabricatorWorker',
     'PhabricatorRepositoryIdentityEditEngine' => 'PhabricatorEditEngine',
+    'PhabricatorRepositoryIdentityEditViewCapability' => 'PhabricatorPolicyCapability',
     'PhabricatorRepositoryIdentityFerretEngine' => 'PhabricatorFerretEngine',
     'PhabricatorRepositoryIdentityPHIDType' => 'PhabricatorPHIDType',
     'PhabricatorRepositoryIdentityQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',
diff --git a/src/applications/diffusion/application/PhabricatorDiffusionApplication.php b/src/applications/diffusion/application/PhabricatorDiffusionApplication.php
index e0e74486da..ccd311fa7e 100644
--- a/src/applications/diffusion/application/PhabricatorDiffusionApplication.php
+++ b/src/applications/diffusion/application/PhabricatorDiffusionApplication.php
@@ -183,6 +183,9 @@ final class PhabricatorDiffusionApplication extends PhabricatorApplication {
       DiffusionCreateRepositoriesCapability::CAPABILITY => array(
         'default' => PhabricatorPolicies::POLICY_ADMIN,
       ),
+      PhabricatorRepositoryIdentityEditViewCapability::CAPABILITY => array(
+        'default' => PhabricatorPolicies::POLICY_USER,
+      ),
     );
   }
 
diff --git a/src/applications/repository/capability/PhabricatorRepositoryIdentityEditViewCapability.php b/src/applications/repository/capability/PhabricatorRepositoryIdentityEditViewCapability.php
new file mode 100644
index 0000000000..9bb9b62ebc
--- /dev/null
+++ b/src/applications/repository/capability/PhabricatorRepositoryIdentityEditViewCapability.php
@@ -0,0 +1,16 @@
+<?php
+
+final class PhabricatorRepositoryIdentityEditViewCapability
+  extends PhabricatorPolicyCapability {
+
+  const CAPABILITY = 'repository.identity.create';
+
+  public function getCapabilityName() {
+    return pht('Can Edit and View Identities');
+  }
+
+  public function describeCapabilityRejection() {
+    return pht('You do not have permission to create or edit identities.');
+  }
+
+}
diff --git a/src/applications/repository/engine/PhabricatorRepositoryIdentityEditEngine.php b/src/applications/repository/engine/PhabricatorRepositoryIdentityEditEngine.php
index 742e4a159f..9d80d42bb7 100644
--- a/src/applications/repository/engine/PhabricatorRepositoryIdentityEditEngine.php
+++ b/src/applications/repository/engine/PhabricatorRepositoryIdentityEditEngine.php
@@ -70,7 +70,8 @@ final class PhabricatorRepositoryIdentityEditEngine
   }
 
   protected function getCreateNewObjectPolicy() {
-    return PhabricatorPolicies::POLICY_USER;
+    return $this->getApplication()->getPolicy(
+      PhabricatorRepositoryIdentityEditViewCapability::CAPABILITY);
   }
 
   protected function buildCustomEditFields($object) {
diff --git a/src/applications/repository/storage/PhabricatorRepositoryIdentity.php b/src/applications/repository/storage/PhabricatorRepositoryIdentity.php
index 74fbd06544..df19f302f6 100644
--- a/src/applications/repository/storage/PhabricatorRepositoryIdentity.php
+++ b/src/applications/repository/storage/PhabricatorRepositoryIdentity.php
@@ -142,7 +142,10 @@ final class PhabricatorRepositoryIdentity
   }
 
   public function getPolicy($capability) {
-    return PhabricatorPolicies::getMostOpenPolicy();
+    $app = PhabricatorApplication::getByClass(
+      'PhabricatorDiffusionApplication');
+    return $app->getPolicy(
+      PhabricatorRepositoryIdentityEditViewCapability::CAPABILITY);
   }
 
   public function hasAutomaticCapability(