From e85dfcbeeeb3f96d1df3a8212d024b4507e14745 Mon Sep 17 00:00:00 2001
From: Bob Trahan <btrahan@phacility.com>
Date: Mon, 12 Jan 2015 15:18:16 -0800
Subject: [PATCH] People - add application policy on user creation

Summary: Ref T6947.

Test Plan: made the setting say only admin user a and noted admin user b lost access

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T4137, T6947

Differential Revision: https://secure.phabricator.com/D11357
---
 src/__phutil_library_map__.php                   |  2 ++
 .../application/PhabricatorPeopleApplication.php |  3 +++
 .../capability/PeopleCreateUsersCapability.php   | 16 ++++++++++++++++
 .../controller/PhabricatorPeopleController.php   | 15 ++++++++-------
 .../PhabricatorPeopleCreateController.php        |  5 +++--
 .../PhabricatorPeopleLdapController.php          |  6 +++---
 .../PhabricatorPeopleNewController.php           | 15 +++++----------
 7 files changed, 40 insertions(+), 22 deletions(-)
 create mode 100644 src/applications/people/capability/PeopleCreateUsersCapability.php

diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php
index 32f6a0ecd4..2d77574016 100644
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@@ -1224,6 +1224,7 @@ phutil_register_library_map(array(
     'PasteQueryConduitAPIMethod' => 'applications/paste/conduit/PasteQueryConduitAPIMethod.php',
     'PasteReplyHandler' => 'applications/paste/mail/PasteReplyHandler.php',
     'PeopleBrowseUserDirectoryCapability' => 'applications/people/capability/PeopleBrowseUserDirectoryCapability.php',
+    'PeopleCreateUsersCapability' => 'applications/people/capability/PeopleCreateUsersCapability.php',
     'PeopleUserLogGarbageCollector' => 'applications/people/garbagecollector/PeopleUserLogGarbageCollector.php',
     'Phabricator404Controller' => 'applications/base/controller/Phabricator404Controller.php',
     'PhabricatorAPCSetupCheck' => 'applications/config/check/PhabricatorAPCSetupCheck.php',
@@ -4382,6 +4383,7 @@ phutil_register_library_map(array(
     'PasteQueryConduitAPIMethod' => 'PasteConduitAPIMethod',
     'PasteReplyHandler' => 'PhabricatorMailReplyHandler',
     'PeopleBrowseUserDirectoryCapability' => 'PhabricatorPolicyCapability',
+    'PeopleCreateUsersCapability' => 'PhabricatorPolicyCapability',
     'PeopleUserLogGarbageCollector' => 'PhabricatorGarbageCollector',
     'Phabricator404Controller' => 'PhabricatorController',
     'PhabricatorAPCSetupCheck' => 'PhabricatorSetupCheck',
diff --git a/src/applications/people/application/PhabricatorPeopleApplication.php b/src/applications/people/application/PhabricatorPeopleApplication.php
index 8d7421cb12..6f6c2c282c 100644
--- a/src/applications/people/application/PhabricatorPeopleApplication.php
+++ b/src/applications/people/application/PhabricatorPeopleApplication.php
@@ -78,6 +78,9 @@ final class PhabricatorPeopleApplication extends PhabricatorApplication {
 
   protected function getCustomCapabilities() {
     return array(
+      PeopleCreateUsersCapability::CAPABILITY => array(
+        'default' => PhabricatorPolicies::POLICY_ADMIN,
+      ),
       PeopleBrowseUserDirectoryCapability::CAPABILITY => array(),
     );
   }
diff --git a/src/applications/people/capability/PeopleCreateUsersCapability.php b/src/applications/people/capability/PeopleCreateUsersCapability.php
new file mode 100644
index 0000000000..26d8b7ffe3
--- /dev/null
+++ b/src/applications/people/capability/PeopleCreateUsersCapability.php
@@ -0,0 +1,16 @@
+<?php
+
+final class PeopleCreateUsersCapability
+  extends PhabricatorPolicyCapability {
+
+  const CAPABILITY = 'people.create.users';
+
+  public function getCapabilityName() {
+    return pht('Can Create Users');
+  }
+
+  public function describeCapabilityRejection() {
+    return pht('You do not have permission to create users.');
+  }
+
+}
diff --git a/src/applications/people/controller/PhabricatorPeopleController.php b/src/applications/people/controller/PhabricatorPeopleController.php
index fa6dbf09b2..647788a5e3 100644
--- a/src/applications/people/controller/PhabricatorPeopleController.php
+++ b/src/applications/people/controller/PhabricatorPeopleController.php
@@ -37,13 +37,14 @@ abstract class PhabricatorPeopleController extends PhabricatorController {
 
     $viewer = $this->getRequest()->getUser();
 
-    if ($viewer->getIsAdmin()) {
-      $crumbs->addAction(
-        id(new PHUIListItemView())
-          ->setName(pht('Create New User'))
-          ->setHref($this->getApplicationURI('create/'))
-          ->setIcon('fa-plus-square'));
-    }
+    $can_create = $this->hasApplicationCapability(
+      PeopleCreateUsersCapability::CAPABILITY);
+    $crumbs->addAction(
+      id(new PHUIListItemView())
+      ->setName(pht('Create New User'))
+      ->setHref($this->getApplicationURI('create/'))
+      ->setDisabled(!$can_create)
+      ->setIcon('fa-plus-square'));
 
     return $crumbs;
   }
diff --git a/src/applications/people/controller/PhabricatorPeopleCreateController.php b/src/applications/people/controller/PhabricatorPeopleCreateController.php
index 38d79af0f5..b8852f2e42 100644
--- a/src/applications/people/controller/PhabricatorPeopleCreateController.php
+++ b/src/applications/people/controller/PhabricatorPeopleCreateController.php
@@ -3,8 +3,9 @@
 final class PhabricatorPeopleCreateController
   extends PhabricatorPeopleController {
 
-  public function processRequest() {
-    $request = $this->getRequest();
+  public function handleRequest(AphrontRequest $request) {
+    $this->requireApplicationCapability(
+      PeopleCreateUsersCapability::CAPABILITY);
     $admin = $request->getUser();
 
     id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
diff --git a/src/applications/people/controller/PhabricatorPeopleLdapController.php b/src/applications/people/controller/PhabricatorPeopleLdapController.php
index 57b3383ad2..71f3d94b14 100644
--- a/src/applications/people/controller/PhabricatorPeopleLdapController.php
+++ b/src/applications/people/controller/PhabricatorPeopleLdapController.php
@@ -3,9 +3,9 @@
 final class PhabricatorPeopleLdapController
   extends PhabricatorPeopleController {
 
-  public function processRequest() {
-
-    $request = $this->getRequest();
+  public function handleRequest(AphrontRequest $request) {
+    $this->requireApplicationCapability(
+      PeopleCreateUsersCapability::CAPABILITY);
     $admin = $request->getUser();
 
     $content = array();
diff --git a/src/applications/people/controller/PhabricatorPeopleNewController.php b/src/applications/people/controller/PhabricatorPeopleNewController.php
index a766f3fdd3..a64d00f26f 100644
--- a/src/applications/people/controller/PhabricatorPeopleNewController.php
+++ b/src/applications/people/controller/PhabricatorPeopleNewController.php
@@ -3,17 +3,13 @@
 final class PhabricatorPeopleNewController
   extends PhabricatorPeopleController {
 
-  private $type;
-
-  public function willProcessRequest(array $data) {
-    $this->type = $data['type'];
-  }
-
-  public function processRequest() {
-    $request = $this->getRequest();
+  public function handleRequest(AphrontRequest $request) {
+    $this->requireApplicationCapability(
+      PeopleCreateUsersCapability::CAPABILITY);
+    $type = $request->getURIData('type');
     $admin = $request->getUser();
 
-    switch ($this->type) {
+    switch ($type) {
       case 'standard':
         $is_bot = false;
         break;
@@ -36,7 +32,6 @@ final class PhabricatorPeopleNewController
 
     $new_email = null;
 
-    $request = $this->getRequest();
     if ($request->isFormPost()) {
       $welcome_checked = $request->getInt('welcome');