recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Add a "Can Disable Users" capability to the "People" application

Summary:
Depends on D19605. Ref T13189. See PHI642. This adds a separate "Can Disable Users" capability, and makes the underlying transaction use it.

This doesn't actually let you weaken the permission, since all pathways need more permissions:

- `user.edit` needs CAN_EDIT.
- `user.disable/enable` need admin.
- Web UI workflow needs admin.

Upcoming changes will update these pathways.

Without additional changes, this does let you //strengthen// the permission.

This also fixes the inability to disable non-bot users via the web UI.

Test Plan:
- Set permission to "No One", tried to disable users. Got a tailored policy error.
- Set permission to "All Users", disabled/enabled a non-bot user.

Reviewers: amckinley

Maniphest Tasks: T13189

Differential Revision: https://secure.phabricator.com/D19606

epriestley 058952e7 8cf56913

+35
+2
src/__phutil_library_map__.php
··· 2042 2042 'PasteSearchConduitAPIMethod' => 'applications/paste/conduit/PasteSearchConduitAPIMethod.php', 2043 2043 'PeopleBrowseUserDirectoryCapability' => 'applications/people/capability/PeopleBrowseUserDirectoryCapability.php', 2044 2044 'PeopleCreateUsersCapability' => 'applications/people/capability/PeopleCreateUsersCapability.php', 2045 + 'PeopleDisableUsersCapability' => 'applications/people/capability/PeopleDisableUsersCapability.php', 2045 2046 'PeopleHovercardEngineExtension' => 'applications/people/engineextension/PeopleHovercardEngineExtension.php', 2046 2047 'PeopleMainMenuBarExtension' => 'applications/people/engineextension/PeopleMainMenuBarExtension.php', 2047 2048 'PeopleUserLogGarbageCollector' => 'applications/people/garbagecollector/PeopleUserLogGarbageCollector.php', ··· 7592 7593 'PasteSearchConduitAPIMethod' => 'PhabricatorSearchEngineAPIMethod', 7593 7594 'PeopleBrowseUserDirectoryCapability' => 'PhabricatorPolicyCapability', 7594 7595 'PeopleCreateUsersCapability' => 'PhabricatorPolicyCapability', 7596 + 'PeopleDisableUsersCapability' => 'PhabricatorPolicyCapability', 7595 7597 'PeopleHovercardEngineExtension' => 'PhabricatorHovercardEngineExtension', 7596 7598 'PeopleMainMenuBarExtension' => 'PhabricatorMainMenuBarExtension', 7597 7599 'PeopleUserLogGarbageCollector' => 'PhabricatorGarbageCollector',
+3
src/applications/people/application/PhabricatorPeopleApplication.php
··· 97 97 PeopleCreateUsersCapability::CAPABILITY => array( 98 98 'default' => PhabricatorPolicies::POLICY_ADMIN, 99 99 ), 100 + PeopleDisableUsersCapability::CAPABILITY => array( 101 + 'default' => PhabricatorPolicies::POLICY_ADMIN, 102 + ), 100 103 PeopleBrowseUserDirectoryCapability::CAPABILITY => array(), 101 104 ); 102 105 }
+16
src/applications/people/capability/PeopleDisableUsersCapability.php
··· 1 + <?php 2 + 3 + final class PeopleDisableUsersCapability 4 + extends PhabricatorPolicyCapability { 5 + 6 + const CAPABILITY = 'people.disable.users'; 7 + 8 + public function getCapabilityName() { 9 + return pht('Can Disable Users'); 10 + } 11 + 12 + public function describeCapabilityRejection() { 13 + return pht('You do not have permission to disable or enable users.'); 14 + } 15 + 16 + }
+14
src/applications/people/xaction/PhabricatorUserDisableTransaction.php
··· 60 60 continue; 61 61 } 62 62 63 + // You must have the "Can Disable Users" permission to disable a user. 64 + $this->requireApplicationCapability( 65 + PeopleDisableUsersCapability::CAPABILITY); 66 + 63 67 if ($this->getActingAsPHID() === $object->getPHID()) { 64 68 $errors[] = $this->newInvalidError( 65 69 pht('You can not enable or disable your own account.')); ··· 69 73 return $errors; 70 74 } 71 75 76 + public function getRequiredCapabilities( 77 + $object, 78 + PhabricatorApplicationTransaction $xaction) { 79 + 80 + // You do not need to be able to edit users to disable them. Instead, this 81 + // requirement is replaced with a requirement that you have the "Can 82 + // Disable Users" permission. 83 + 84 + return null; 85 + } 72 86 }