Update PhortunePaymentMethod for modern policy interfaces

Summary: Depends on D20717. Ref T13366. Make PhortunePaymentMethod use an extended policy interface for consistency with modern approaches. Since Accounts have hard-coded policy behavior (and can't have object policies like "Subscribers") this should have no actual impact on program behavior. This leaves one weird piece in the policy dialog UIs, see T13381. Test Plan: Viewed and edited payment methods as a merchant and account member. Merchants can only view, not edit. Maniphest Tasks: T13366 Differential Revision: https://secure.phabricator.com/D20718
2024-11-25 16:22:43 +01:00 · 2019-08-16 10:04:57 -07:00 · 2019-08-16 10:04:57 -07:00 · c4e0ac4d27
commit c4e0ac4d27
parent 0cc7e8eeb8
6 changed files with 87 additions and 20 deletions
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@ -5329,6 +5329,7 @@ phutil_register_library_map(array(
    'PhortunePaymentMethodDisableController' => 'applications/phortune/controller/payment/PhortunePaymentMethodDisableController.php',
    'PhortunePaymentMethodEditController' => 'applications/phortune/controller/payment/PhortunePaymentMethodEditController.php',
    'PhortunePaymentMethodPHIDType' => 'applications/phortune/phid/PhortunePaymentMethodPHIDType.php',
+    'PhortunePaymentMethodPolicyCodex' => 'applications/phortune/codex/PhortunePaymentMethodPolicyCodex.php',
    'PhortunePaymentMethodQuery' => 'applications/phortune/query/PhortunePaymentMethodQuery.php',
    'PhortunePaymentProvider' => 'applications/phortune/provider/PhortunePaymentProvider.php',
    'PhortunePaymentProviderConfig' => 'applications/phortune/storage/PhortunePaymentProviderConfig.php',
@ -11893,11 +11894,14 @@ phutil_register_library_map(array(
    'PhortunePaymentMethod' => array(
      'PhortuneDAO',
      'PhabricatorPolicyInterface',
+      'PhabricatorExtendedPolicyInterface',
+      'PhabricatorPolicyCodexInterface',
    ),
    'PhortunePaymentMethodCreateController' => 'PhortuneController',
    'PhortunePaymentMethodDisableController' => 'PhortuneController',
    'PhortunePaymentMethodEditController' => 'PhortuneController',
    'PhortunePaymentMethodPHIDType' => 'PhabricatorPHIDType',
+    'PhortunePaymentMethodPolicyCodex' => 'PhabricatorPolicyCodex',
    'PhortunePaymentMethodQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',
    'PhortunePaymentProvider' => 'Phobject',
    'PhortunePaymentProviderConfig' => array(
--- a/src/applications/phortune/codex/PhortunePaymentMethodPolicyCodex.php
+++ b/src/applications/phortune/codex/PhortunePaymentMethodPolicyCodex.php
@ -0,0 +1,35 @@
+<?php
+
+final class PhortunePaymentMethodPolicyCodex
+  extends PhabricatorPolicyCodex {
+
+  public function getPolicySpecialRuleDescriptions() {
+    $object = $this->getObject();
+
+    $rules = array();
+
+    $rules[] = $this->newRule()
+      ->setCapabilities(
+        array(
+          PhabricatorPolicyCapability::CAN_VIEW,
+        ))
+      ->setIsActive(true)
+      ->setDescription(
+        pht(
+          'Account members may view and edit payment methods.'));
+
+    $rules[] = $this->newRule()
+      ->setCapabilities(
+        array(
+          PhabricatorPolicyCapability::CAN_VIEW,
+        ))
+      ->setIsActive(true)
+      ->setDescription(
+        pht(
+          'Merchants you have a relationship with may view associated '.
+          'payment methods.'));
+
+    return $rules;
+  }
+
+}
--- a/src/applications/phortune/controller/account/PhortuneAccountPaymentMethodsController.php
+++ b/src/applications/phortune/controller/account/PhortuneAccountPaymentMethodsController.php
@ -34,7 +34,6 @@ final class PhortuneAccountPaymentMethodsController
      ->setCrumbs($crumbs)
      ->setNavigation($navigation)
      ->appendChild($view);
-
  }

  private function buildPaymentMethodsSection(PhortuneAccount $account) {
--- a/src/applications/phortune/query/PhortunePaymentMethodQuery.php
+++ b/src/applications/phortune/query/PhortunePaymentMethodQuery.php
@ -53,6 +53,7 @@ final class PhortunePaymentMethodQuery
      $account = idx($accounts, $method->getAccountPHID());
      if (!$account) {
        unset($methods[$key]);
+        $this->didRejectResult($method);
        continue;
      }
      $method->attachAccount($account);
@ -72,6 +73,7 @@ final class PhortunePaymentMethodQuery
      $merchant = idx($merchants, $method->getMerchantPHID());
      if (!$merchant) {
        unset($methods[$key]);
+        $this->didRejectResult($method);
        continue;
      }
      $method->attachMerchant($merchant);
@ -91,6 +93,7 @@ final class PhortunePaymentMethodQuery
      $provider_config = idx($provider_configs, $method->getProviderPHID());
      if (!$provider_config) {
        unset($methods[$key]);
+        $this->didRejectResult($method);
        continue;
      }
      $method->attachProviderConfig($provider_config);
--- a/src/applications/phortune/storage/PhortunePaymentMethod.php
+++ b/src/applications/phortune/storage/PhortunePaymentMethod.php
@ -4,8 +4,12 @@
 * A payment method is a credit card; it is associated with an account and
 * charges can be made against it.
 */
-final class PhortunePaymentMethod extends PhortuneDAO
-  implements PhabricatorPolicyInterface {
+final class PhortunePaymentMethod
+  extends PhortuneDAO
+  implements
+    PhabricatorPolicyInterface,
+    PhabricatorExtendedPolicyInterface,
+    PhabricatorPolicyCodexInterface {

  const STATUS_ACTIVE     = 'payment:active';
  const STATUS_DISABLED   = 'payment:disabled';
@ -148,18 +152,50 @@ final class PhortunePaymentMethod extends PhortuneDAO
  }

  public function getPolicy($capability) {
-    return $this->getAccount()->getPolicy($capability);
+    return PhabricatorPolicies::getMostOpenPolicy();
  }

  public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {
-    return $this->getAccount()->hasAutomaticCapability(
-      $capability,
-      $viewer);
+
+    // See T13366. If you can edit the merchant associated with this payment
+    // method, you can view the payment method.
+    if ($capability === PhabricatorPolicyCapability::CAN_VIEW) {
+      $any_edit = PhortuneMerchantQuery::canViewersEditMerchants(
+        array($viewer->getPHID()),
+        array($this->getMerchantPHID()));
+      if ($any_edit) {
+        return true;
+      }
+    }
+
+    return false;
  }

-  public function describeAutomaticCapability($capability) {
-    return pht(
-      'Members of an account can always view and edit its payment methods.');
+
+/* -(  PhabricatorExtendedPolicyInterface  )--------------------------------- */
+
+
+  public function getExtendedPolicy($capability, PhabricatorUser $viewer) {
+    if ($this->hasAutomaticCapability($capability, $viewer)) {
+      return array();
+    }
+
+    // See T13366. For blanket view and edit permissions on all payment
+    // methods, you must be able to edit the associated account.
+    return array(
+      array(
+        $this->getAccount(),
+        PhabricatorPolicyCapability::CAN_EDIT,
+      ),
+    );
+  }
+
+
+/* -(  PhabricatorPolicyCodexInterface  )------------------------------------ */
+
+
+  public function newPolicyCodex() {
+    return new PhortunePaymentMethodPolicyCodex();
  }

 }
--- a/src/applications/policy/codex/PhabricatorPolicyCodex.php
+++ b/src/applications/policy/codex/PhabricatorPolicyCodex.php
@ -44,16 +44,6 @@ abstract class PhabricatorPolicyCodex
    return null;
  }

-  final public function getPolicySpecialRuleForCapability($capability) {
-    foreach ($this->getPolicySpecialRuleDescriptions() as $rule) {
-      if (in_array($capability, $rule->getCapabilities())) {
-        return $rule;
-      }
-    }
-
-    return null;
-  }
-
  final protected function newRule() {
    return new PhabricatorPolicyCodexRuleDescription();
  }