@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Remove deprecated Maniphest "Can Edit <Specific Property>" capabilities
Summary:
Depends on D19579. Fixes T10003. These have been deprecated with a setup warning about their impending removal for about two and a half years.
Ref T13164. See PHI642. My overall goal here is to simplify how we handle transactions which have special policy behaviors. In particular, I'm hoping to replace `ApplicationTransactionEditor->requireCapabilities()` with a new, more clear policy check.
A problem with `requireCapabilities()` is that it doesn't actually enforce any policies in almost all cases: the default is "nothing", not CAN_EDIT. So it ends up looking like it's the right place to specialize policy checks, but it usually isn't.
For "Disable", I need to be able to weaken the check selectively (you can disable users if you have the permission, even if you can't edit them otherwise). We have a handful of other edits which work like this (notably, leaving and joining projects) but they're very rare.
Test Plan: Grepped for all removed classes. Edited a Maniphest task.
Reviewers: amckinley
Reviewed By: amckinley
Maniphest Tasks: T13164, T10003
Differential Revision: https://secure.phabricator.com/D19581
+1
-208
-10
src/__phutil_library_map__.php
-10
src/__phutil_library_map__.php
···
1646
1646
'ManiphestDAO' => 'applications/maniphest/storage/ManiphestDAO.php',
1647
1647
'ManiphestDefaultEditCapability' => 'applications/maniphest/capability/ManiphestDefaultEditCapability.php',
1648
1648
'ManiphestDefaultViewCapability' => 'applications/maniphest/capability/ManiphestDefaultViewCapability.php',
1649
-
'ManiphestEditAssignCapability' => 'applications/maniphest/capability/ManiphestEditAssignCapability.php',
1650
1649
'ManiphestEditConduitAPIMethod' => 'applications/maniphest/conduit/ManiphestEditConduitAPIMethod.php',
1651
1650
'ManiphestEditEngine' => 'applications/maniphest/editor/ManiphestEditEngine.php',
1652
-
'ManiphestEditPoliciesCapability' => 'applications/maniphest/capability/ManiphestEditPoliciesCapability.php',
1653
-
'ManiphestEditPriorityCapability' => 'applications/maniphest/capability/ManiphestEditPriorityCapability.php',
1654
-
'ManiphestEditProjectsCapability' => 'applications/maniphest/capability/ManiphestEditProjectsCapability.php',
1655
-
'ManiphestEditStatusCapability' => 'applications/maniphest/capability/ManiphestEditStatusCapability.php',
1656
1651
'ManiphestEmailCommand' => 'applications/maniphest/command/ManiphestEmailCommand.php',
1657
1652
'ManiphestGetTaskTransactionsConduitAPIMethod' => 'applications/maniphest/conduit/ManiphestGetTaskTransactionsConduitAPIMethod.php',
1658
1653
'ManiphestHovercardEngineExtension' => 'applications/maniphest/engineextension/ManiphestHovercardEngineExtension.php',
···
7152
7147
'ManiphestDAO' => 'PhabricatorLiskDAO',
7153
7148
'ManiphestDefaultEditCapability' => 'PhabricatorPolicyCapability',
7154
7149
'ManiphestDefaultViewCapability' => 'PhabricatorPolicyCapability',
7155
-
'ManiphestEditAssignCapability' => 'PhabricatorPolicyCapability',
7156
7150
'ManiphestEditConduitAPIMethod' => 'PhabricatorEditEngineAPIMethod',
7157
7151
'ManiphestEditEngine' => 'PhabricatorEditEngine',
7158
-
'ManiphestEditPoliciesCapability' => 'PhabricatorPolicyCapability',
7159
-
'ManiphestEditPriorityCapability' => 'PhabricatorPolicyCapability',
7160
-
'ManiphestEditProjectsCapability' => 'PhabricatorPolicyCapability',
7161
-
'ManiphestEditStatusCapability' => 'PhabricatorPolicyCapability',
7162
7152
'ManiphestEmailCommand' => 'MetaMTAEmailTransactionCommand',
7163
7153
'ManiphestGetTaskTransactionsConduitAPIMethod' => 'ManiphestConduitAPIMethod',
7164
7154
'ManiphestHovercardEngineExtension' => 'PhabricatorHovercardEngineExtension',
-65
src/applications/config/check/PhabricatorExtraConfigSetupCheck.php
-65
src/applications/config/check/PhabricatorExtraConfigSetupCheck.php
···
361
361
return $ancient_config;
362
362
}
363
363
364
-
private function executeManiphestFieldChecks() {
365
-
$maniphest_appclass = 'PhabricatorManiphestApplication';
366
-
if (!PhabricatorApplication::isClassInstalled($maniphest_appclass)) {
367
-
return;
368
-
}
369
-
370
-
$capabilities = array(
371
-
ManiphestEditAssignCapability::CAPABILITY,
372
-
ManiphestEditPoliciesCapability::CAPABILITY,
373
-
ManiphestEditPriorityCapability::CAPABILITY,
374
-
ManiphestEditProjectsCapability::CAPABILITY,
375
-
ManiphestEditStatusCapability::CAPABILITY,
376
-
);
377
-
378
-
// Check for any of these capabilities set to anything other than
379
-
// "All Users".
380
-
381
-
$any_set = false;
382
-
$app = new PhabricatorManiphestApplication();
383
-
foreach ($capabilities as $capability) {
384
-
$setting = $app->getPolicy($capability);
385
-
if ($setting != PhabricatorPolicies::POLICY_USER) {
386
-
$any_set = true;
387
-
break;
388
-
}
389
-
}
390
-
391
-
if (!$any_set) {
392
-
return;
393
-
}
394
-
395
-
$issue_summary = pht(
396
-
'Maniphest is currently configured with deprecated policy settings '.
397
-
'which will be removed in a future version of Phabricator.');
398
-
399
-
400
-
$message = pht(
401
-
'Some policy settings in Maniphest are now deprecated and will be '.
402
-
'removed in a future version of Phabricator. You are currently using '.
403
-
'at least one of these settings.'.
404
-
"\n\n".
405
-
'The deprecated settings are "Can Assign Tasks", '.
406
-
'"Can Edit Task Policies", "Can Prioritize Tasks", '.
407
-
'"Can Edit Task Projects", and "Can Edit Task Status". You can '.
408
-
'find these settings in Applications, or follow the link below.'.
409
-
"\n\n".
410
-
'You can find discussion of this change (including rationale and '.
411
-
'recommendations on how to configure similar features) in the upstream, '.
412
-
'at the link below.'.
413
-
"\n\n".
414
-
'To resolve this issue, set all of these policies to "All Users" after '.
415
-
'making any necessary form customization changes.');
416
-
417
-
$more_href = 'https://secure.phabricator.com/T10003';
418
-
$edit_href = '/applications/view/PhabricatorManiphestApplication/';
419
-
420
-
$issue = $this->newIssue('maniphest.T10003-per-field-policies')
421
-
->setShortName(pht('Deprecated Policies'))
422
-
->setName(pht('Deprecated Maniphest Field Policies'))
423
-
->setSummary($issue_summary)
424
-
->setMessage($message)
425
-
->addLink($more_href, pht('Learn More: Upstream Discussion'))
426
-
->addLink($edit_href, pht('Edit These Settings'));
427
-
}
428
-
429
364
}
-5
src/applications/maniphest/application/PhabricatorManiphestApplication.php
-5
src/applications/maniphest/application/PhabricatorManiphestApplication.php
···
85
85
'template' => ManiphestTaskPHIDType::TYPECONST,
86
86
'capability' => PhabricatorPolicyCapability::CAN_EDIT,
87
87
),
88
-
ManiphestEditStatusCapability::CAPABILITY => array(),
89
-
ManiphestEditAssignCapability::CAPABILITY => array(),
90
-
ManiphestEditPoliciesCapability::CAPABILITY => array(),
91
-
ManiphestEditPriorityCapability::CAPABILITY => array(),
92
-
ManiphestEditProjectsCapability::CAPABILITY => array(),
93
88
ManiphestBulkEditCapability::CAPABILITY => array(),
94
89
);
95
90
}
-15
src/applications/maniphest/capability/ManiphestEditAssignCapability.php
-15
src/applications/maniphest/capability/ManiphestEditAssignCapability.php
···
1
-
<?php
2
-
3
-
final class ManiphestEditAssignCapability extends PhabricatorPolicyCapability {
4
-
5
-
const CAPABILITY = 'maniphest.edit.assign';
6
-
7
-
public function getCapabilityName() {
8
-
return pht('Can Assign Tasks');
9
-
}
10
-
11
-
public function describeCapabilityRejection() {
12
-
return pht('You do not have permission to assign tasks.');
13
-
}
14
-
15
-
}
-16
src/applications/maniphest/capability/ManiphestEditPoliciesCapability.php
-16
src/applications/maniphest/capability/ManiphestEditPoliciesCapability.php
···
1
-
<?php
2
-
3
-
final class ManiphestEditPoliciesCapability
4
-
extends PhabricatorPolicyCapability {
5
-
6
-
const CAPABILITY = 'maniphest.edit.policies';
7
-
8
-
public function getCapabilityName() {
9
-
return pht('Can Edit Task Policies');
10
-
}
11
-
12
-
public function describeCapabilityRejection() {
13
-
return pht('You do not have permission to edit task policies.');
14
-
}
15
-
16
-
}
-16
src/applications/maniphest/capability/ManiphestEditPriorityCapability.php
-16
src/applications/maniphest/capability/ManiphestEditPriorityCapability.php
···
1
-
<?php
2
-
3
-
final class ManiphestEditPriorityCapability
4
-
extends PhabricatorPolicyCapability {
5
-
6
-
const CAPABILITY = 'maniphest.edit.priority';
7
-
8
-
public function getCapabilityName() {
9
-
return pht('Can Prioritize Tasks');
10
-
}
11
-
12
-
public function describeCapabilityRejection() {
13
-
return pht('You do not have permission to prioritize tasks.');
14
-
}
15
-
16
-
}
-16
src/applications/maniphest/capability/ManiphestEditProjectsCapability.php
-16
src/applications/maniphest/capability/ManiphestEditProjectsCapability.php
···
1
-
<?php
2
-
3
-
final class ManiphestEditProjectsCapability
4
-
extends PhabricatorPolicyCapability {
5
-
6
-
const CAPABILITY = 'maniphest.edit.projects';
7
-
8
-
public function getCapabilityName() {
9
-
return pht('Can Edit Task Projects');
10
-
}
11
-
12
-
public function describeCapabilityRejection() {
13
-
return pht('You do not have permission to edit task projects.');
14
-
}
15
-
16
-
}
-15
src/applications/maniphest/capability/ManiphestEditStatusCapability.php
-15
src/applications/maniphest/capability/ManiphestEditStatusCapability.php
···
1
-
<?php
2
-
3
-
final class ManiphestEditStatusCapability extends PhabricatorPolicyCapability {
4
-
5
-
const CAPABILITY = 'maniphest.edit.status';
6
-
7
-
public function getCapabilityName() {
8
-
return pht('Can Edit Task Status');
9
-
}
10
-
11
-
public function describeCapabilityRejection() {
12
-
return pht('You do not have permission to edit task status.');
13
-
}
14
-
15
-
}
-45
src/applications/maniphest/editor/ManiphestTransactionEditor.php
-45
src/applications/maniphest/editor/ManiphestTransactionEditor.php
···
279
279
->setTask($object);
280
280
}
281
281
282
-
protected function requireCapabilities(
283
-
PhabricatorLiskDAO $object,
284
-
PhabricatorApplicationTransaction $xaction) {
285
-
286
-
parent::requireCapabilities($object, $xaction);
287
-
288
-
$app_capability_map = array(
289
-
ManiphestTaskPriorityTransaction::TRANSACTIONTYPE =>
290
-
ManiphestEditPriorityCapability::CAPABILITY,
291
-
ManiphestTaskStatusTransaction::TRANSACTIONTYPE =>
292
-
ManiphestEditStatusCapability::CAPABILITY,
293
-
ManiphestTaskOwnerTransaction::TRANSACTIONTYPE =>
294
-
ManiphestEditAssignCapability::CAPABILITY,
295
-
PhabricatorTransactions::TYPE_EDIT_POLICY =>
296
-
ManiphestEditPoliciesCapability::CAPABILITY,
297
-
PhabricatorTransactions::TYPE_VIEW_POLICY =>
298
-
ManiphestEditPoliciesCapability::CAPABILITY,
299
-
);
300
-
301
-
302
-
$transaction_type = $xaction->getTransactionType();
303
-
304
-
$app_capability = null;
305
-
if ($transaction_type == PhabricatorTransactions::TYPE_EDGE) {
306
-
switch ($xaction->getMetadataValue('edge:type')) {
307
-
case PhabricatorProjectObjectHasProjectEdgeType::EDGECONST:
308
-
$app_capability = ManiphestEditProjectsCapability::CAPABILITY;
309
-
break;
310
-
}
311
-
} else {
312
-
$app_capability = idx($app_capability_map, $transaction_type);
313
-
}
314
-
315
-
if ($app_capability) {
316
-
$app = id(new PhabricatorApplicationQuery())
317
-
->setViewer($this->getActor())
318
-
->withClasses(array('PhabricatorManiphestApplication'))
319
-
->executeOne();
320
-
PhabricatorPolicyFilter::requireCapability(
321
-
$this->getActor(),
322
-
$app,
323
-
$app_capability);
324
-
}
325
-
}
326
-
327
282
protected function adjustObjectForPolicyChecks(
328
283
PhabricatorLiskDAO $object,
329
284
array $xactions) {
+1
-5
src/applications/maniphest/query/ManiphestTaskSearchEngine.php
+1
-5
src/applications/maniphest/query/ManiphestTaskSearchEngine.php
···
369
369
$can_edit_priority = false;
370
370
$can_bulk_edit = false;
371
371
} else {
372
-
$can_edit_priority = PhabricatorPolicyFilter::hasCapability(
373
-
$viewer,
374
-
$this->getApplication(),
375
-
ManiphestEditPriorityCapability::CAPABILITY);
376
-
372
+
$can_edit_priority = true;
377
373
$can_bulk_edit = PhabricatorPolicyFilter::hasCapability(
378
374
$viewer,
379
375
$this->getApplication(),