mirror of
https://we.phorge.it/source/phorge.git
synced 2025-03-13 04:44:53 +01:00
541d794c13
Summary: Depends on D20111. Ref T6703. Currently, each ExternalAccount row is tied to a provider by `providerType` + `providerDomain`. This effectively prevents multiple providers of the same type, since, e.g., two LDAP providers may be on different ports on the same domain. The `domain` also isn't really a useful idea anyway because you can move which hostname an LDAP server is on, and LDAP actually uses the value `self` in all cases. Yeah, yikes. Instead, just bind each account to a particular provider. Then we can have an LDAP "alice" on seven different servers on different ports on the same machine and they can all move around and we'll still have a consistent, cohesive view of the world. (On its own, this creates some issues with the link/unlink/refresh flows. Those will be updated in followups, and doing this change in a way with no intermediate breaks would require fixing them to use IDs to reference providerType/providerDomain, then fixing this, then undoing the first fix most of the way.) Test Plan: Ran migrations, sanity-checked database. See followup changes for more comprehensive testing. Reviewers: amckinley Reviewed By: amckinley Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam Maniphest Tasks: T6703 Differential Revision: https://secure.phabricator.com/D20112
165 lines
4.4 KiB
PHP
165 lines
4.4 KiB
PHP
<?php
|
|
|
|
final class PhabricatorExternalAccount extends PhabricatorUserDAO
|
|
implements PhabricatorPolicyInterface {
|
|
|
|
protected $userPHID;
|
|
protected $accountType;
|
|
protected $accountDomain;
|
|
protected $accountSecret;
|
|
protected $accountID;
|
|
protected $displayName;
|
|
protected $username;
|
|
protected $realName;
|
|
protected $email;
|
|
protected $emailVerified = 0;
|
|
protected $accountURI;
|
|
protected $profileImagePHID;
|
|
protected $properties = array();
|
|
protected $providerConfigPHID;
|
|
|
|
private $profileImageFile = self::ATTACHABLE;
|
|
private $providerConfig = self::ATTACHABLE;
|
|
|
|
public function getProfileImageFile() {
|
|
return $this->assertAttached($this->profileImageFile);
|
|
}
|
|
|
|
public function attachProfileImageFile(PhabricatorFile $file) {
|
|
$this->profileImageFile = $file;
|
|
return $this;
|
|
}
|
|
|
|
public function generatePHID() {
|
|
return PhabricatorPHID::generateNewPHID(
|
|
PhabricatorPeopleExternalPHIDType::TYPECONST);
|
|
}
|
|
|
|
protected function getConfiguration() {
|
|
return array(
|
|
self::CONFIG_AUX_PHID => true,
|
|
self::CONFIG_SERIALIZATION => array(
|
|
'properties' => self::SERIALIZATION_JSON,
|
|
),
|
|
self::CONFIG_COLUMN_SCHEMA => array(
|
|
'userPHID' => 'phid?',
|
|
'accountType' => 'text16',
|
|
'accountDomain' => 'text64',
|
|
'accountSecret' => 'text?',
|
|
'accountID' => 'text64',
|
|
'displayName' => 'text255?',
|
|
'username' => 'text255?',
|
|
'realName' => 'text255?',
|
|
'email' => 'text255?',
|
|
'emailVerified' => 'bool',
|
|
'profileImagePHID' => 'phid?',
|
|
'accountURI' => 'text255?',
|
|
),
|
|
self::CONFIG_KEY_SCHEMA => array(
|
|
'account_details' => array(
|
|
'columns' => array('accountType', 'accountDomain', 'accountID'),
|
|
'unique' => true,
|
|
),
|
|
'key_user' => array(
|
|
'columns' => array('userPHID'),
|
|
),
|
|
),
|
|
) + parent::getConfiguration();
|
|
}
|
|
|
|
public function getProviderKey() {
|
|
return $this->getAccountType().':'.$this->getAccountDomain();
|
|
}
|
|
|
|
public function save() {
|
|
if (!$this->getAccountSecret()) {
|
|
$this->setAccountSecret(Filesystem::readRandomCharacters(32));
|
|
}
|
|
return parent::save();
|
|
}
|
|
|
|
public function setProperty($key, $value) {
|
|
$this->properties[$key] = $value;
|
|
return $this;
|
|
}
|
|
|
|
public function getProperty($key, $default = null) {
|
|
return idx($this->properties, $key, $default);
|
|
}
|
|
|
|
public function isUsableForLogin() {
|
|
$config = $this->getProviderConfig();
|
|
if (!$config->getIsEnabled()) {
|
|
return false;
|
|
}
|
|
|
|
$provider = $config->getProvider();
|
|
if (!$provider->shouldAllowLogin()) {
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
public function getDisplayName() {
|
|
if (strlen($this->displayName)) {
|
|
return $this->displayName;
|
|
}
|
|
|
|
// TODO: Figure out how much identifying information we're going to show
|
|
// to users about external accounts. For now, just show a string which is
|
|
// clearly not an error, but don't disclose any identifying information.
|
|
|
|
$map = array(
|
|
'email' => pht('Email User'),
|
|
);
|
|
|
|
$type = $this->getAccountType();
|
|
|
|
return idx($map, $type, pht('"%s" User', $type));
|
|
}
|
|
|
|
public function attachProviderConfig(PhabricatorAuthProviderConfig $config) {
|
|
$this->providerConfig = $config;
|
|
return $this;
|
|
}
|
|
|
|
public function getProviderConfig() {
|
|
return $this->assertAttached($this->providerConfig);
|
|
}
|
|
|
|
|
|
/* -( PhabricatorPolicyInterface )----------------------------------------- */
|
|
|
|
|
|
public function getCapabilities() {
|
|
return array(
|
|
PhabricatorPolicyCapability::CAN_VIEW,
|
|
PhabricatorPolicyCapability::CAN_EDIT,
|
|
);
|
|
}
|
|
|
|
public function getPolicy($capability) {
|
|
switch ($capability) {
|
|
case PhabricatorPolicyCapability::CAN_VIEW:
|
|
return PhabricatorPolicies::getMostOpenPolicy();
|
|
case PhabricatorPolicyCapability::CAN_EDIT:
|
|
return PhabricatorPolicies::POLICY_NOONE;
|
|
}
|
|
}
|
|
|
|
public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {
|
|
return ($viewer->getPHID() == $this->getUserPHID());
|
|
}
|
|
|
|
public function describeAutomaticCapability($capability) {
|
|
switch ($capability) {
|
|
case PhabricatorPolicyCapability::CAN_VIEW:
|
|
return null;
|
|
case PhabricatorPolicyCapability::CAN_EDIT:
|
|
return pht(
|
|
'External accounts can only be edited by the account owner.');
|
|
}
|
|
}
|
|
|
|
}
|