mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-21 04:50:55 +01:00
Prevent administrators from locking themselves out of applications
Summary: Ref T603. This could be a nicer UX, but limit the amount of foot-shooting that users can possibly do. You can still manage if you're really tricky ("Members of project X", then leave the project) but this should make it hard to make a mistake. It seems very unlikely any user ever intends to lock themselves out of an application. Test Plan: Set an application's view policy to permissive ("Administrators") and nonpermissive ("No One") values. The former were accepted, the latter rejected. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T603 Differential Revision: https://secure.phabricator.com/D7218
This commit is contained in:
parent
1a5de83ad1
commit
a600ab7731
1 changed files with 13 additions and 0 deletions
|
@ -75,6 +75,19 @@ final class PhabricatorApplicationEditController
|
||||||
|
|
||||||
$value[$phid]['policy'] = $result + $value[$phid]['policy'];
|
$value[$phid]['policy'] = $result + $value[$phid]['policy'];
|
||||||
|
|
||||||
|
// Don't allow users to make policy edits which would lock them out of
|
||||||
|
// applications, since they would be unable to undo those actions.
|
||||||
|
PhabricatorEnv::overrideConfig($key, $value);
|
||||||
|
PhabricatorPolicyFilter::mustRetainCapability(
|
||||||
|
$user,
|
||||||
|
$application,
|
||||||
|
PhabricatorPolicyCapability::CAN_VIEW);
|
||||||
|
|
||||||
|
PhabricatorPolicyFilter::mustRetainCapability(
|
||||||
|
$user,
|
||||||
|
$application,
|
||||||
|
PhabricatorPolicyCapability::CAN_EDIT);
|
||||||
|
|
||||||
PhabricatorConfigEditor::storeNewValue(
|
PhabricatorConfigEditor::storeNewValue(
|
||||||
$config_entry,
|
$config_entry,
|
||||||
$value,
|
$value,
|
||||||
|
|
Loading…
Reference in a new issue