People - add application policy on user creation

Summary: Ref T6947.

Test Plan: made the setting say only admin user a and noted admin user b lost access

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T4137, T6947

Differential Revision: https://secure.phabricator.com/D11357

src/__phutil_library_map__.php

@@ -1224,6 +1224,7 @@ phutil_register_library_map(array(
     'PasteQueryConduitAPIMethod' => 'applications/paste/conduit/PasteQueryConduitAPIMethod.php',
     'PasteReplyHandler' => 'applications/paste/mail/PasteReplyHandler.php',
     'PeopleBrowseUserDirectoryCapability' => 'applications/people/capability/PeopleBrowseUserDirectoryCapability.php',
+    'PeopleCreateUsersCapability' => 'applications/people/capability/PeopleCreateUsersCapability.php',
     'PeopleUserLogGarbageCollector' => 'applications/people/garbagecollector/PeopleUserLogGarbageCollector.php',
     'Phabricator404Controller' => 'applications/base/controller/Phabricator404Controller.php',
     'PhabricatorAPCSetupCheck' => 'applications/config/check/PhabricatorAPCSetupCheck.php',
@@ -4382,6 +4383,7 @@ phutil_register_library_map(array(
     'PasteQueryConduitAPIMethod' => 'PasteConduitAPIMethod',
     'PasteReplyHandler' => 'PhabricatorMailReplyHandler',
     'PeopleBrowseUserDirectoryCapability' => 'PhabricatorPolicyCapability',
+    'PeopleCreateUsersCapability' => 'PhabricatorPolicyCapability',
     'PeopleUserLogGarbageCollector' => 'PhabricatorGarbageCollector',
     'Phabricator404Controller' => 'PhabricatorController',
     'PhabricatorAPCSetupCheck' => 'PhabricatorSetupCheck',

src/applications/people/application/PhabricatorPeopleApplication.php

@@ -78,6 +78,9 @@ final class PhabricatorPeopleApplication extends PhabricatorApplication {
 
   protected function getCustomCapabilities() {
     return array(
+      PeopleCreateUsersCapability::CAPABILITY => array(
+        'default' => PhabricatorPolicies::POLICY_ADMIN,
+      ),
       PeopleBrowseUserDirectoryCapability::CAPABILITY => array(),
     );
   }

src/applications/people/capability/PeopleCreateUsersCapability.php

@@ -0,0 +1,16 @@
+<?php
+
+final class PeopleCreateUsersCapability
+  extends PhabricatorPolicyCapability {
+
+  const CAPABILITY = 'people.create.users';
+
+  public function getCapabilityName() {
+    return pht('Can Create Users');
+  }
+
+  public function describeCapabilityRejection() {
+    return pht('You do not have permission to create users.');
+  }
+
+}

src/applications/people/controller/PhabricatorPeopleController.php

@@ -37,13 +37,14 @@ abstract class PhabricatorPeopleController extends PhabricatorController {
 
     $viewer = $this->getRequest()->getUser();
 
-    if ($viewer->getIsAdmin()) {
+    $can_create = $this->hasApplicationCapability(
-      $crumbs->addAction(
+      PeopleCreateUsersCapability::CAPABILITY);
-        id(new PHUIListItemView())
+    $crumbs->addAction(
-          ->setName(pht('Create New User'))
+      id(new PHUIListItemView())
-          ->setHref($this->getApplicationURI('create/'))
+      ->setName(pht('Create New User'))
-          ->setIcon('fa-plus-square'));
+      ->setHref($this->getApplicationURI('create/'))
-    }
+      ->setDisabled(!$can_create)
+      ->setIcon('fa-plus-square'));
 
     return $crumbs;
   }

src/applications/people/controller/PhabricatorPeopleCreateController.php

@@ -3,8 +3,9 @@
 final class PhabricatorPeopleCreateController
   extends PhabricatorPeopleController {
 
-  public function processRequest() {
+  public function handleRequest(AphrontRequest $request) {
-    $request = $this->getRequest();
+    $this->requireApplicationCapability(
+      PeopleCreateUsersCapability::CAPABILITY);
     $admin = $request->getUser();
 
     id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(

src/applications/people/controller/PhabricatorPeopleLdapController.php

@@ -3,9 +3,9 @@
 final class PhabricatorPeopleLdapController
   extends PhabricatorPeopleController {
 
-  public function processRequest() {
+  public function handleRequest(AphrontRequest $request) {
-
+    $this->requireApplicationCapability(
-    $request = $this->getRequest();
+      PeopleCreateUsersCapability::CAPABILITY);
     $admin = $request->getUser();
 
     $content = array();

src/applications/people/controller/PhabricatorPeopleNewController.php

@@ -3,17 +3,13 @@
 final class PhabricatorPeopleNewController
   extends PhabricatorPeopleController {
 
-  private $type;
+  public function handleRequest(AphrontRequest $request) {
-
+    $this->requireApplicationCapability(
-  public function willProcessRequest(array $data) {
+      PeopleCreateUsersCapability::CAPABILITY);
-    $this->type = $data['type'];
+    $type = $request->getURIData('type');
-  }
-
-  public function processRequest() {
-    $request = $this->getRequest();
     $admin = $request->getUser();
 
-    switch ($this->type) {
+    switch ($type) {
       case 'standard':
         $is_bot = false;
         break;
@@ -36,7 +32,6 @@ final class PhabricatorPeopleNewController
 
     $new_email = null;
 
-    $request = $this->getRequest();
     if ($request->isFormPost()) {
       $welcome_checked = $request->getInt('welcome');