revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-30 18:52:42 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications/system
History
epriestley c86dca3ffc Update "bin/policy unlock" to be more surgical, flexible, modular, and modern 
Summary:
See PHI1115. Ref T13249. Currently, you can `bin/policy unlock` objects which have become inaccessible through some sort of policy mistake.

This script uses a very blunt mechanism to perform unlocks: just manually calling `setXPolicy()` and then trying to `save()` the object. Improve things a bit:

  - More surgical: allow selection of which policies you want to adjust with "--view", "--edit", and "--owner" (potentially important for some objects like Herald rules which don't have policies, and "edit-locked" tasks which basically ignore the edit policy).
  - More flexible: Instead of unlocking into "All Users" (which could be bad for stuff like Passphrase credentials, since you create a short window where anyone can access them), take a username as a parameter and set the policy to "just that user". Normally, you'd run this as `bin/policy unlock --view myself --edit myself` or similar, now.
  - More modular: We can't do "owner" transactions in a generic way, but lay the groundwork for letting applications support providing an owner reassignment mechanism.
  - More modern: Use transactions, not raw `set()` + `save()`.

This previously had some hard-coded logic around unlocking applications. I've removed it, and the new generic stuff doesn't actually work. It probably should be made to work at some point, but I believe it's exceptionally difficult to lock yourself out of applications, and you can unlock them with `bin/config set phabricator.application-settings ...` anyway so I'm not too worried about this. It's also hard to figure out the PHID of an application and no one has ever asked about this so I'd guess the reasonable use rate of `bin/policy unlock` to unlock applications in the wild may be zero.

Test Plan:
  - Used `bin/policy unlock` to unlock some objects, saw sensible transactions.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13249

Differential Revision: https://secure.phabricator.com/D20256
2019-03-07 12:24:25 -08:00
..
action Extend from Phobject 2015-06-15 18:02:27 +10:00
application Add a generic PHID-based object redirection controller 2018-06-12 11:54:59 -07:00
codex When destorying a repository, print a notification about removing the working copy 2017-08-01 08:57:39 -07:00
controller Add a generic PHID-based object redirection controller 2018-06-12 11:54:59 -07:00
engine Update "bin/policy unlock" to be more surgical, flexible, modular, and modern 2019-03-07 12:24:25 -08:00
exception Add semi-generic rate limiting infrastructure 2014-04-03 11:22:38 -07:00
garbagecollector Provide bin/garbage for interacting with garbage collection 2015-10-02 09:17:24 -07:00
interface When destorying a repository, print a notification about removing the working copy 2017-08-01 08:57:39 -07:00
management When destorying a repository, print a notification about removing the working copy 2017-08-01 08:57:39 -07:00
storage Fix visiblity of LiskDAO::getConfiguration() 2015-01-14 06:54:13 +11:00