revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-15 03:12:41 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications/herald/controller/HeraldNewController.php
epriestley c8127edfe9 Tighten up some policy interactions in Herald 
Summary:
Ref T603. Herald is a bit of a policy minefield right now, although I think pretty much everything has straightforward solutions. This change:

  - Introduces "create" and "create global" permisions for Herald.
    - Maybe "create" is sort of redundant since there's no reason to have access to the application if not creating rules, but I think this won't be the case for most applications, so having an explicit "create" permission is more consistent.
  - Add some application policy helper functions.
  - Improve rendering a bit -- I think we probably need to build some `PolicyType` class, similar to `PHIDType`, to really get this right.
  - Don't let users who can't use application X create Herald rules for application X.
  - Remove Maniphest/Pholio rules when those applications are not installed.

Test Plan:
  - Restricted access to Maniphest and uninstalled Pholio.
  - Verified Pholio rules no longer appear for anyone.
  - Verified Maniphest ruls no longer appear for restricted users.
  - Verified users without CREATE_GLOBAL can not create global ruls.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7219
2013-10-04 15:15:48 -07:00

118 lines
3.3 KiB
PHP
Raw Blame History

<?php
final class HeraldNewController extends HeraldController {
private $contentType;
private $ruleType;
public function willProcessRequest(array $data) {
$this->contentType = idx($data, 'type');
$this->ruleType = idx($data, 'rule_type');
}
public function processRequest() {
$request = $this->getRequest();
$user = $request->getUser();
$this->requireApplicationCapability(
PhabricatorApplicationHerald::CAN_CREATE_RULE);
$can_global = $this->hasApplicationCapability(
PhabricatorApplicationHerald::CAN_CREATE_GLOBAL_RULE);
$content_type_map = HeraldAdapter::getEnabledAdapterMap($user);
if (empty($content_type_map[$this->contentType])) {
$this->contentType = head_key($content_type_map);
}
$rule_type_map = HeraldRuleTypeConfig::getRuleTypeMap();
if (empty($rule_type_map[$this->ruleType])) {
$this->ruleType = HeraldRuleTypeConfig::RULE_TYPE_PERSONAL;
}
// Reorder array to put "personal" first.
$rule_type_map = array_select_keys(
$rule_type_map,
array(
HeraldRuleTypeConfig::RULE_TYPE_PERSONAL,
)) + $rule_type_map;
if (!$can_global) {
$global_link = $this->explainApplicationCapability(
PhabricatorApplicationHerald::CAN_CREATE_GLOBAL_RULE,
pht('You do not have permission to create or manage global rules.'));
} else {
$global_link = null;
}
$captions = array(
HeraldRuleTypeConfig::RULE_TYPE_PERSONAL =>
pht(
'Personal rules notify you about events. You own them, but they can '.
'only affect you.'),
HeraldRuleTypeConfig::RULE_TYPE_GLOBAL =>
phutil_implode_html(
phutil_tag('br'),
array_filter(
array(
pht(
'Global rules notify anyone about events. Global rules can '.
'bypass access control policies.'),
$global_link,
))),
);
$radio = id(new AphrontFormRadioButtonControl())
->setLabel(pht('Type'))
->setName('rule_type')
->setValue($this->ruleType);
foreach ($rule_type_map as $value => $name) {
$disabled = ($value == HeraldRuleTypeConfig::RULE_TYPE_GLOBAL) &&
(!$can_global);
$radio->addButton(
$value,
$name,
idx($captions, $value),
$disabled ? 'disabled' : null,
$disabled);
}
$form = id(new AphrontFormView())
->setUser($user)
->setAction('/herald/edit/')
->appendChild(
id(new AphrontFormSelectControl())
->setLabel(pht('New Rule for'))
->setName('content_type')
->setValue($this->contentType)
->setOptions($content_type_map))
->appendChild($radio)
->appendChild(
id(new AphrontFormSubmitControl())
->setValue(pht('Create Rule'))
->addCancelButton($this->getApplicationURI()));
$form_box = id(new PHUIObjectBoxView())
->setHeaderText(pht('Create Herald Rule'))
->setForm($form);
$crumbs = $this
->buildApplicationCrumbs()
->addCrumb(
id(new PhabricatorCrumbView())
->setName(pht('Create Rule')));
return $this->buildApplicationPage(
array(
$crumbs,
$form_box,
),
array(
'title' => pht('Create Herald Rule'),
'device' => true,
));
}
}
View git blame Copy permalink