mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-21 04:50:55 +01:00
Use Differential policy columns to drive policies
Summary: Ref T603. Read policies out of policy columns. When a revision is associated with a repository (which is currently never), require view access on the repository to see the revision (or, require the viewer to be the owner). This is a blanket "do the right thing" rule which should make Differential's default policies align with user expectations. Future diffs will populate the `repositoryPHID` when a revision is created. Test Plan: Tooled around Differential. None of this stuff does anything yet, so nothing very exciting happened. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T603 Differential Revision: https://secure.phabricator.com/D7134
This commit is contained in:
parent
c458517cb4
commit
d61c931c7b
2 changed files with 79 additions and 1 deletions
|
@ -361,6 +361,59 @@ final class DifferentialRevisionQuery
|
||||||
}
|
}
|
||||||
|
|
||||||
public function willFilterPage(array $revisions) {
|
public function willFilterPage(array $revisions) {
|
||||||
|
$viewer = $this->getViewer();
|
||||||
|
|
||||||
|
$repository_phids = mpull($revisions, 'getRepositoryPHID');
|
||||||
|
$repository_phids = array_filter($repository_phids);
|
||||||
|
|
||||||
|
$repositories = array();
|
||||||
|
if ($repository_phids) {
|
||||||
|
$repositories = id(new PhabricatorRepositoryQuery())
|
||||||
|
->setViewer($this->getViewer())
|
||||||
|
->withPHIDs($repository_phids)
|
||||||
|
->execute();
|
||||||
|
$repositories = mpull($repositories, null, 'getPHID');
|
||||||
|
}
|
||||||
|
|
||||||
|
// If a revision is associated with a repository:
|
||||||
|
//
|
||||||
|
// - the viewer must be able to see the repository; or
|
||||||
|
// - the viewer must have an automatic view capability.
|
||||||
|
//
|
||||||
|
// In the latter case, we'll load the revision but not load the repository.
|
||||||
|
|
||||||
|
$can_view = PhabricatorPolicyCapability::CAN_VIEW;
|
||||||
|
foreach ($revisions as $key => $revision) {
|
||||||
|
$repo_phid = $revision->getRepositoryPHID();
|
||||||
|
if (!$repo_phid) {
|
||||||
|
// The revision has no associated repository. Attach `null` and move on.
|
||||||
|
$revision->attachRepository(null);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
$repository = idx($repositories, $repo_phid);
|
||||||
|
if ($repository) {
|
||||||
|
// The revision has an associated repository, and the viewer can see
|
||||||
|
// it. Attach it and move on.
|
||||||
|
$revision->attachRepository($repository);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($revision->hasAutomaticCapability($can_view, $viewer)) {
|
||||||
|
// The revision has an associated repository which the viewer can not
|
||||||
|
// see, but the viewer has an automatic capability on this revision.
|
||||||
|
// Load the revision without attaching a repository.
|
||||||
|
$revision->attachRepository(null);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
// The revision has an associated repository, and the viewer can't see
|
||||||
|
// it, and the viewer has no special capabilities. Filter out this
|
||||||
|
// revision.
|
||||||
|
unset($revisions[$key]);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
$table = new DifferentialRevision();
|
$table = new DifferentialRevision();
|
||||||
$conn_r = $table->establishConnection('r');
|
$conn_r = $table->establishConnection('r');
|
||||||
|
|
||||||
|
|
|
@ -34,6 +34,7 @@ final class DifferentialRevision extends DifferentialDAO
|
||||||
private $activeDiff = self::ATTACHABLE;
|
private $activeDiff = self::ATTACHABLE;
|
||||||
private $diffIDs = self::ATTACHABLE;
|
private $diffIDs = self::ATTACHABLE;
|
||||||
private $hashes = self::ATTACHABLE;
|
private $hashes = self::ATTACHABLE;
|
||||||
|
private $repository = self::ATTACHABLE;
|
||||||
|
|
||||||
private $reviewerStatus = self::ATTACHABLE;
|
private $reviewerStatus = self::ATTACHABLE;
|
||||||
|
|
||||||
|
@ -306,10 +307,25 @@ final class DifferentialRevision extends DifferentialDAO
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getPolicy($capability) {
|
public function getPolicy($capability) {
|
||||||
return PhabricatorPolicies::POLICY_USER;
|
switch ($capability) {
|
||||||
|
case PhabricatorPolicyCapability::CAN_VIEW:
|
||||||
|
return $this->getViewPolicy();
|
||||||
|
case PhabricatorPolicyCapability::CAN_EDIT:
|
||||||
|
return $this->getEditPolicy();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function hasAutomaticCapability($capability, PhabricatorUser $user) {
|
public function hasAutomaticCapability($capability, PhabricatorUser $user) {
|
||||||
|
|
||||||
|
// A revision's author (which effectively means "owner" after we added
|
||||||
|
// commandeering) can always view and edit it.
|
||||||
|
$author_phid = $this->getAuthorPHID();
|
||||||
|
if ($author_phid) {
|
||||||
|
if ($user->getPHID() == $author_phid) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -329,4 +345,13 @@ final class DifferentialRevision extends DifferentialDAO
|
||||||
$this->reviewerStatus = $reviewers;
|
$this->reviewerStatus = $reviewers;
|
||||||
return $this;
|
return $this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function getRepository() {
|
||||||
|
return $this->assertAttached($this->repository);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function attachRepository(PhabricatorRepository $repository = null) {
|
||||||
|
$this->repository = $repository;
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue