mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-25 08:12:40 +01:00
Add Diffusion policy capability "Can Edit and View Identities"
Summary: Make it possible not to allow anyone to edit Diffusion identities. Make it possible not to allow anyone to view other users' email addresses. Closes T15443 Test Plan: * As an admin, go to `/applications/view/PhabricatorDiffusionApplication/` and see new policy "Can Edit and View Identities" set to "All Users" (as implicitly before) * As an admin, go to `/applications/view/PhabricatorDiffusionApplication/` and change "Can Edit and View Identities" from "All Users" to "Administrators" * As a non-admin, go to `/diffusion/identity/` and try to select the disabled "Create Identity" button; get an error message clicking it due to lack of permissions * Given there is at least one identity defined, as a non-admin, go directly to `/diffusion/identity/view/1/` and get "You do not have permission to view this object." * Given there is at least one identity defined, as a non-admin, go directly to `/diffusion/identity/edit/1/` and get "You do not have permission to view this object." * As a non-admin, go directly to `/diffusion/identity/edit/form/default/` and get "You do not have permission to edit this object." * As a non-admin, go directly to `/diffusion/identity/` and get "No Identities found." instead of seeing the existing identities listed. * As an admin, go to `/diffusion/identity/` and still see the existing identities listed. * As an admin, go to `/diffusion/identity/`, select "Create Identity" to go to `/diffusion/identity/edit/` and see the "Create Identity" page (though broken; see T15453) * As an admin, go to `/diffusion/identity/view/1/` and still see the existing identity. * As an admin, go to `/diffusion/identity/edit/1/` and successfully edit the existing identity. Reviewers: O1 Blessed Committers, speck, valerio.bozzolan Reviewed By: O1 Blessed Committers, speck, valerio.bozzolan Subscribers: speck, tobiaswiese, valerio.bozzolan, Matthew, Cigaryno Maniphest Tasks: T15443 Differential Revision: https://we.phorge.it/D25450
This commit is contained in:
parent
c97a50472c
commit
90f651d669
5 changed files with 27 additions and 2 deletions
|
@ -4628,6 +4628,7 @@ phutil_register_library_map(array(
|
||||||
'PhabricatorRepositoryIdentityAssignTransaction' => 'applications/repository/xaction/PhabricatorRepositoryIdentityAssignTransaction.php',
|
'PhabricatorRepositoryIdentityAssignTransaction' => 'applications/repository/xaction/PhabricatorRepositoryIdentityAssignTransaction.php',
|
||||||
'PhabricatorRepositoryIdentityChangeWorker' => 'applications/repository/worker/PhabricatorRepositoryIdentityChangeWorker.php',
|
'PhabricatorRepositoryIdentityChangeWorker' => 'applications/repository/worker/PhabricatorRepositoryIdentityChangeWorker.php',
|
||||||
'PhabricatorRepositoryIdentityEditEngine' => 'applications/repository/engine/PhabricatorRepositoryIdentityEditEngine.php',
|
'PhabricatorRepositoryIdentityEditEngine' => 'applications/repository/engine/PhabricatorRepositoryIdentityEditEngine.php',
|
||||||
|
'PhabricatorRepositoryIdentityEditViewCapability' => 'applications/repository/capability/PhabricatorRepositoryIdentityEditViewCapability.php',
|
||||||
'PhabricatorRepositoryIdentityFerretEngine' => 'applications/repository/search/PhabricatorRepositoryIdentityFerretEngine.php',
|
'PhabricatorRepositoryIdentityFerretEngine' => 'applications/repository/search/PhabricatorRepositoryIdentityFerretEngine.php',
|
||||||
'PhabricatorRepositoryIdentityPHIDType' => 'applications/repository/phid/PhabricatorRepositoryIdentityPHIDType.php',
|
'PhabricatorRepositoryIdentityPHIDType' => 'applications/repository/phid/PhabricatorRepositoryIdentityPHIDType.php',
|
||||||
'PhabricatorRepositoryIdentityQuery' => 'applications/repository/query/PhabricatorRepositoryIdentityQuery.php',
|
'PhabricatorRepositoryIdentityQuery' => 'applications/repository/query/PhabricatorRepositoryIdentityQuery.php',
|
||||||
|
@ -11325,6 +11326,7 @@ phutil_register_library_map(array(
|
||||||
'PhabricatorRepositoryIdentityAssignTransaction' => 'PhabricatorRepositoryIdentityTransactionType',
|
'PhabricatorRepositoryIdentityAssignTransaction' => 'PhabricatorRepositoryIdentityTransactionType',
|
||||||
'PhabricatorRepositoryIdentityChangeWorker' => 'PhabricatorWorker',
|
'PhabricatorRepositoryIdentityChangeWorker' => 'PhabricatorWorker',
|
||||||
'PhabricatorRepositoryIdentityEditEngine' => 'PhabricatorEditEngine',
|
'PhabricatorRepositoryIdentityEditEngine' => 'PhabricatorEditEngine',
|
||||||
|
'PhabricatorRepositoryIdentityEditViewCapability' => 'PhabricatorPolicyCapability',
|
||||||
'PhabricatorRepositoryIdentityFerretEngine' => 'PhabricatorFerretEngine',
|
'PhabricatorRepositoryIdentityFerretEngine' => 'PhabricatorFerretEngine',
|
||||||
'PhabricatorRepositoryIdentityPHIDType' => 'PhabricatorPHIDType',
|
'PhabricatorRepositoryIdentityPHIDType' => 'PhabricatorPHIDType',
|
||||||
'PhabricatorRepositoryIdentityQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',
|
'PhabricatorRepositoryIdentityQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',
|
||||||
|
|
|
@ -183,6 +183,9 @@ final class PhabricatorDiffusionApplication extends PhabricatorApplication {
|
||||||
DiffusionCreateRepositoriesCapability::CAPABILITY => array(
|
DiffusionCreateRepositoriesCapability::CAPABILITY => array(
|
||||||
'default' => PhabricatorPolicies::POLICY_ADMIN,
|
'default' => PhabricatorPolicies::POLICY_ADMIN,
|
||||||
),
|
),
|
||||||
|
PhabricatorRepositoryIdentityEditViewCapability::CAPABILITY => array(
|
||||||
|
'default' => PhabricatorPolicies::POLICY_USER,
|
||||||
|
),
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
final class PhabricatorRepositoryIdentityEditViewCapability
|
||||||
|
extends PhabricatorPolicyCapability {
|
||||||
|
|
||||||
|
const CAPABILITY = 'repository.identity.create';
|
||||||
|
|
||||||
|
public function getCapabilityName() {
|
||||||
|
return pht('Can Edit and View Identities');
|
||||||
|
}
|
||||||
|
|
||||||
|
public function describeCapabilityRejection() {
|
||||||
|
return pht('You do not have permission to create or edit identities.');
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -70,7 +70,8 @@ final class PhabricatorRepositoryIdentityEditEngine
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function getCreateNewObjectPolicy() {
|
protected function getCreateNewObjectPolicy() {
|
||||||
return PhabricatorPolicies::POLICY_USER;
|
return $this->getApplication()->getPolicy(
|
||||||
|
PhabricatorRepositoryIdentityEditViewCapability::CAPABILITY);
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function buildCustomEditFields($object) {
|
protected function buildCustomEditFields($object) {
|
||||||
|
|
|
@ -142,7 +142,10 @@ final class PhabricatorRepositoryIdentity
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getPolicy($capability) {
|
public function getPolicy($capability) {
|
||||||
return PhabricatorPolicies::getMostOpenPolicy();
|
$app = PhabricatorApplication::getByClass(
|
||||||
|
'PhabricatorDiffusionApplication');
|
||||||
|
return $app->getPolicy(
|
||||||
|
PhabricatorRepositoryIdentityEditViewCapability::CAPABILITY);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function hasAutomaticCapability(
|
public function hasAutomaticCapability(
|
||||||
|
|
Loading…
Reference in a new issue