@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Allow logged-out users to load global preferences on installs without public viewers
Summary:
Fixes T11946. When a logged-out viewer is loading a page on a non-public install, there are two policy issues which prevent them from loading global settings:
- They can not see the Settings application itself.
- They can not see the global settings object.
Allow them to see Settings by making mandatory applications always visible. (This doesn't make any application pages public.)
Allow them to see the global settings object explicitly.
Test Plan:
Changed default language, viewed logged-out page:
{F2076924}
Reviewers: chad
Reviewed By: chad
Maniphest Tasks: T11946
Differential Revision: https://secure.phabricator.com/D16983
+20
-4
+13
-4
src/applications/base/PhabricatorApplication.php
+13
-4
src/applications/base/PhabricatorApplication.php
···
437
437
if (!self::isClassInstalled($class)) {
438
438
$result = false;
439
439
} else {
440
-
$result = PhabricatorPolicyFilter::hasCapability(
441
-
$viewer,
442
-
self::getByClass($class),
443
-
PhabricatorPolicyCapability::CAN_VIEW);
440
+
$application = self::getByClass($class);
441
+
if (!$application->canUninstall()) {
442
+
// If the application can not be uninstalled, always allow viewers
443
+
// to see it. In particular, this allows logged-out viewers to see
444
+
// Settings and load global default settings even if the install
445
+
// does not allow public viewers.
446
+
$result = true;
447
+
} else {
448
+
$result = PhabricatorPolicyFilter::hasCapability(
449
+
$viewer,
450
+
self::getByClass($class),
451
+
PhabricatorPolicyCapability::CAN_VIEW);
452
+
}
444
453
}
445
454
446
455
$cache->setKey($key, $result);
+7
src/applications/settings/storage/PhabricatorUserPreferences.php
+7
src/applications/settings/storage/PhabricatorUserPreferences.php