From bc22413fa7ddb93a53b708e61611a1e3774f68d6 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Fri, 3 Jul 2015 13:03:33 -0700
Subject: [PATCH] When an install has spaces but a user has no access,
 roadblock them

Summary:
Ref T8449. If a user doesn't have access to any spaces, most applications just don't work, and they fail in confusing ways.

Just lock users out of everything explicitly up front with a clear message instead of letting them stumble into a big broken mess.

Test Plan: Locked a user out of all spaces, saw error to that effect.

Reviewers: btrahan, eadler

Reviewed By: eadler

Subscribers: eadler, epriestley

Maniphest Tasks: T8449

Differential Revision: https://secure.phabricator.com/D13545
---
 src/__phutil_library_map__.php                |  2 ++
 .../base/controller/PhabricatorController.php | 17 ++++++++++++++--
 .../PhabricatorSpacesNoAccessController.php   | 20 +++++++++++++++++++
 3 files changed, 37 insertions(+), 2 deletions(-)
 create mode 100644 src/applications/spaces/controller/PhabricatorSpacesNoAccessController.php

diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php
index 23d2562822..459c95643c 100644
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@@ -2658,6 +2658,7 @@ phutil_register_library_map(array(
     'PhabricatorSpacesNamespaceSearchEngine' => 'applications/spaces/query/PhabricatorSpacesNamespaceSearchEngine.php',
     'PhabricatorSpacesNamespaceTransaction' => 'applications/spaces/storage/PhabricatorSpacesNamespaceTransaction.php',
     'PhabricatorSpacesNamespaceTransactionQuery' => 'applications/spaces/query/PhabricatorSpacesNamespaceTransactionQuery.php',
+    'PhabricatorSpacesNoAccessController' => 'applications/spaces/controller/PhabricatorSpacesNoAccessController.php',
     'PhabricatorSpacesRemarkupRule' => 'applications/spaces/remarkup/PhabricatorSpacesRemarkupRule.php',
     'PhabricatorSpacesSchemaSpec' => 'applications/spaces/storage/PhabricatorSpacesSchemaSpec.php',
     'PhabricatorSpacesTestCase' => 'applications/spaces/__tests__/PhabricatorSpacesTestCase.php',
@@ -6450,6 +6451,7 @@ phutil_register_library_map(array(
     'PhabricatorSpacesNamespaceSearchEngine' => 'PhabricatorApplicationSearchEngine',
     'PhabricatorSpacesNamespaceTransaction' => 'PhabricatorApplicationTransaction',
     'PhabricatorSpacesNamespaceTransactionQuery' => 'PhabricatorApplicationTransactionQuery',
+    'PhabricatorSpacesNoAccessController' => 'PhabricatorSpacesController',
     'PhabricatorSpacesRemarkupRule' => 'PhabricatorObjectRemarkupRule',
     'PhabricatorSpacesSchemaSpec' => 'PhabricatorConfigSchemaSpec',
     'PhabricatorSpacesTestCase' => 'PhabricatorTestCase',
diff --git a/src/applications/base/controller/PhabricatorController.php b/src/applications/base/controller/PhabricatorController.php
index 3476bb8f9a..1551667591 100644
--- a/src/applications/base/controller/PhabricatorController.php
+++ b/src/applications/base/controller/PhabricatorController.php
@@ -200,7 +200,8 @@ abstract class PhabricatorController extends AphrontController {
     if ($this->shouldRequireLogin()) {
       // This actually means we need either:
       //   - a valid user, or a public controller; and
-      //   - permission to see the application.
+      //   - permission to see the application; and
+      //   - permission to see at least one Space if spaces are configured.
 
       $allow_public = $this->shouldAllowPublic() &&
                       PhabricatorEnv::getEnvConfig('policy.allow-public');
@@ -223,10 +224,22 @@ abstract class PhabricatorController extends AphrontController {
         }
       }
 
+      // If Spaces are configured, require that the user have access to at
+      // least one. If we don't do this, they'll get confusing error messages
+      // later on.
+      $spaces = PhabricatorSpacesNamespaceQuery::getSpacesExist();
+      if ($spaces) {
+        $viewer_spaces = PhabricatorSpacesNamespaceQuery::getViewerSpacesExist(
+          $user);
+        if (!$viewer_spaces) {
+          $controller = new PhabricatorSpacesNoAccessController();
+          return $this->delegateToController($controller);
+        }
+      }
+
       // If the user doesn't have access to the application, don't let them use
       // any of its controllers. We query the application in order to generate
       // a policy exception if the viewer doesn't have permission.
-
       $application = $this->getCurrentApplication();
       if ($application) {
         id(new PhabricatorApplicationQuery())
diff --git a/src/applications/spaces/controller/PhabricatorSpacesNoAccessController.php b/src/applications/spaces/controller/PhabricatorSpacesNoAccessController.php
new file mode 100644
index 0000000000..7e07bd8e17
--- /dev/null
+++ b/src/applications/spaces/controller/PhabricatorSpacesNoAccessController.php
@@ -0,0 +1,20 @@
+<?php
+
+final class PhabricatorSpacesNoAccessController
+  extends PhabricatorSpacesController {
+
+  public function handleRequest(AphrontRequest $request) {
+    return $this->newDialog()
+      ->setTitle(pht('No Access to Spaces'))
+      ->appendParagraph(
+        pht(
+          'This install uses spaces to organize objects, but your account '.
+          'does not have access to any spaces.'))
+      ->appendParagraph(
+        pht(
+          'Ask someone to add you to a Space so you can view and create '.
+          'objects.'))
+      ->addCancelButton('/', pht('Drift Aimlessly'));
+  }
+
+}