mirror of
https://we.phorge.it/source/phorge.git
synced 2025-01-25 22:18:19 +01:00
People - add application policy on user creation
Summary: Ref T6947. Test Plan: made the setting say only admin user a and noted admin user b lost access Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T4137, T6947 Differential Revision: https://secure.phabricator.com/D11357
This commit is contained in:
parent
f3db0891c7
commit
e85dfcbeee
7 changed files with 40 additions and 22 deletions
|
@ -1224,6 +1224,7 @@ phutil_register_library_map(array(
|
||||||
'PasteQueryConduitAPIMethod' => 'applications/paste/conduit/PasteQueryConduitAPIMethod.php',
|
'PasteQueryConduitAPIMethod' => 'applications/paste/conduit/PasteQueryConduitAPIMethod.php',
|
||||||
'PasteReplyHandler' => 'applications/paste/mail/PasteReplyHandler.php',
|
'PasteReplyHandler' => 'applications/paste/mail/PasteReplyHandler.php',
|
||||||
'PeopleBrowseUserDirectoryCapability' => 'applications/people/capability/PeopleBrowseUserDirectoryCapability.php',
|
'PeopleBrowseUserDirectoryCapability' => 'applications/people/capability/PeopleBrowseUserDirectoryCapability.php',
|
||||||
|
'PeopleCreateUsersCapability' => 'applications/people/capability/PeopleCreateUsersCapability.php',
|
||||||
'PeopleUserLogGarbageCollector' => 'applications/people/garbagecollector/PeopleUserLogGarbageCollector.php',
|
'PeopleUserLogGarbageCollector' => 'applications/people/garbagecollector/PeopleUserLogGarbageCollector.php',
|
||||||
'Phabricator404Controller' => 'applications/base/controller/Phabricator404Controller.php',
|
'Phabricator404Controller' => 'applications/base/controller/Phabricator404Controller.php',
|
||||||
'PhabricatorAPCSetupCheck' => 'applications/config/check/PhabricatorAPCSetupCheck.php',
|
'PhabricatorAPCSetupCheck' => 'applications/config/check/PhabricatorAPCSetupCheck.php',
|
||||||
|
@ -4382,6 +4383,7 @@ phutil_register_library_map(array(
|
||||||
'PasteQueryConduitAPIMethod' => 'PasteConduitAPIMethod',
|
'PasteQueryConduitAPIMethod' => 'PasteConduitAPIMethod',
|
||||||
'PasteReplyHandler' => 'PhabricatorMailReplyHandler',
|
'PasteReplyHandler' => 'PhabricatorMailReplyHandler',
|
||||||
'PeopleBrowseUserDirectoryCapability' => 'PhabricatorPolicyCapability',
|
'PeopleBrowseUserDirectoryCapability' => 'PhabricatorPolicyCapability',
|
||||||
|
'PeopleCreateUsersCapability' => 'PhabricatorPolicyCapability',
|
||||||
'PeopleUserLogGarbageCollector' => 'PhabricatorGarbageCollector',
|
'PeopleUserLogGarbageCollector' => 'PhabricatorGarbageCollector',
|
||||||
'Phabricator404Controller' => 'PhabricatorController',
|
'Phabricator404Controller' => 'PhabricatorController',
|
||||||
'PhabricatorAPCSetupCheck' => 'PhabricatorSetupCheck',
|
'PhabricatorAPCSetupCheck' => 'PhabricatorSetupCheck',
|
||||||
|
|
|
@ -78,6 +78,9 @@ final class PhabricatorPeopleApplication extends PhabricatorApplication {
|
||||||
|
|
||||||
protected function getCustomCapabilities() {
|
protected function getCustomCapabilities() {
|
||||||
return array(
|
return array(
|
||||||
|
PeopleCreateUsersCapability::CAPABILITY => array(
|
||||||
|
'default' => PhabricatorPolicies::POLICY_ADMIN,
|
||||||
|
),
|
||||||
PeopleBrowseUserDirectoryCapability::CAPABILITY => array(),
|
PeopleBrowseUserDirectoryCapability::CAPABILITY => array(),
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
final class PeopleCreateUsersCapability
|
||||||
|
extends PhabricatorPolicyCapability {
|
||||||
|
|
||||||
|
const CAPABILITY = 'people.create.users';
|
||||||
|
|
||||||
|
public function getCapabilityName() {
|
||||||
|
return pht('Can Create Users');
|
||||||
|
}
|
||||||
|
|
||||||
|
public function describeCapabilityRejection() {
|
||||||
|
return pht('You do not have permission to create users.');
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -37,13 +37,14 @@ abstract class PhabricatorPeopleController extends PhabricatorController {
|
||||||
|
|
||||||
$viewer = $this->getRequest()->getUser();
|
$viewer = $this->getRequest()->getUser();
|
||||||
|
|
||||||
if ($viewer->getIsAdmin()) {
|
$can_create = $this->hasApplicationCapability(
|
||||||
|
PeopleCreateUsersCapability::CAPABILITY);
|
||||||
$crumbs->addAction(
|
$crumbs->addAction(
|
||||||
id(new PHUIListItemView())
|
id(new PHUIListItemView())
|
||||||
->setName(pht('Create New User'))
|
->setName(pht('Create New User'))
|
||||||
->setHref($this->getApplicationURI('create/'))
|
->setHref($this->getApplicationURI('create/'))
|
||||||
|
->setDisabled(!$can_create)
|
||||||
->setIcon('fa-plus-square'));
|
->setIcon('fa-plus-square'));
|
||||||
}
|
|
||||||
|
|
||||||
return $crumbs;
|
return $crumbs;
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,8 +3,9 @@
|
||||||
final class PhabricatorPeopleCreateController
|
final class PhabricatorPeopleCreateController
|
||||||
extends PhabricatorPeopleController {
|
extends PhabricatorPeopleController {
|
||||||
|
|
||||||
public function processRequest() {
|
public function handleRequest(AphrontRequest $request) {
|
||||||
$request = $this->getRequest();
|
$this->requireApplicationCapability(
|
||||||
|
PeopleCreateUsersCapability::CAPABILITY);
|
||||||
$admin = $request->getUser();
|
$admin = $request->getUser();
|
||||||
|
|
||||||
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
|
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
|
||||||
|
|
|
@ -3,9 +3,9 @@
|
||||||
final class PhabricatorPeopleLdapController
|
final class PhabricatorPeopleLdapController
|
||||||
extends PhabricatorPeopleController {
|
extends PhabricatorPeopleController {
|
||||||
|
|
||||||
public function processRequest() {
|
public function handleRequest(AphrontRequest $request) {
|
||||||
|
$this->requireApplicationCapability(
|
||||||
$request = $this->getRequest();
|
PeopleCreateUsersCapability::CAPABILITY);
|
||||||
$admin = $request->getUser();
|
$admin = $request->getUser();
|
||||||
|
|
||||||
$content = array();
|
$content = array();
|
||||||
|
|
|
@ -3,17 +3,13 @@
|
||||||
final class PhabricatorPeopleNewController
|
final class PhabricatorPeopleNewController
|
||||||
extends PhabricatorPeopleController {
|
extends PhabricatorPeopleController {
|
||||||
|
|
||||||
private $type;
|
public function handleRequest(AphrontRequest $request) {
|
||||||
|
$this->requireApplicationCapability(
|
||||||
public function willProcessRequest(array $data) {
|
PeopleCreateUsersCapability::CAPABILITY);
|
||||||
$this->type = $data['type'];
|
$type = $request->getURIData('type');
|
||||||
}
|
|
||||||
|
|
||||||
public function processRequest() {
|
|
||||||
$request = $this->getRequest();
|
|
||||||
$admin = $request->getUser();
|
$admin = $request->getUser();
|
||||||
|
|
||||||
switch ($this->type) {
|
switch ($type) {
|
||||||
case 'standard':
|
case 'standard':
|
||||||
$is_bot = false;
|
$is_bot = false;
|
||||||
break;
|
break;
|
||||||
|
@ -36,7 +32,6 @@ final class PhabricatorPeopleNewController
|
||||||
|
|
||||||
$new_email = null;
|
$new_email = null;
|
||||||
|
|
||||||
$request = $this->getRequest();
|
|
||||||
if ($request->isFormPost()) {
|
if ($request->isFormPost()) {
|
||||||
$welcome_checked = $request->getInt('welcome');
|
$welcome_checked = $request->getInt('welcome');
|
||||||
|
|
||||||
|
|
Loading…
Add table
Reference in a new issue