@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Remove the "create rules" Herald capability
Summary:
Ref T603. In thinking about this, I think I went mad with power in creating this capability. I can't imagine any reason to give users access to Herald but not let them create rules.
We can restore this later if some install comes up with a good reason to have it, but in the interest of keeping policies as simple as possible, I think we're better off without it. In particular, if you don't want a group of users creating rules, just lock them out of the application entirely.
The "Manage Global Rules" capability is still around, I think that one's super good.
Test Plan: Edited Herald policies, created a rule.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T603
Differential Revision: https://secure.phabricator.com/D7268
+1
-35
-2
src/__phutil_library_map__.php
-2
src/__phutil_library_map__.php
···
625
625
'HeraldAction' => 'applications/herald/storage/HeraldAction.php',
626
626
'HeraldAdapter' => 'applications/herald/adapter/HeraldAdapter.php',
627
627
'HeraldApplyTranscript' => 'applications/herald/storage/transcript/HeraldApplyTranscript.php',
628
-
'HeraldCapabilityCreateRules' => 'applications/herald/capability/HeraldCapabilityCreateRules.php',
629
628
'HeraldCapabilityManageGlobalRules' => 'applications/herald/capability/HeraldCapabilityManageGlobalRules.php',
630
629
'HeraldCommitAdapter' => 'applications/herald/adapter/HeraldCommitAdapter.php',
631
630
'HeraldCondition' => 'applications/herald/storage/HeraldCondition.php',
···
2727
2726
'HarbormasterScratchTable' => 'HarbormasterDAO',
2728
2727
'HeraldAction' => 'HeraldDAO',
2729
2728
'HeraldApplyTranscript' => 'HeraldDAO',
2730
-
'HeraldCapabilityCreateRules' => 'PhabricatorPolicyCapability',
2731
2729
'HeraldCapabilityManageGlobalRules' => 'PhabricatorPolicyCapability',
2732
2730
'HeraldCommitAdapter' => 'HeraldAdapter',
2733
2731
'HeraldCondition' => 'HeraldDAO',
-2
src/applications/herald/application/PhabricatorApplicationHerald.php
-2
src/applications/herald/application/PhabricatorApplicationHerald.php
···
51
51
52
52
protected function getCustomCapabilities() {
53
53
return array(
54
-
HeraldCapabilityCreateRules::CAPABILITY => array(
55
-
),
56
54
HeraldCapabilityManageGlobalRules::CAPABILITY => array(
57
55
'caption' => pht('Global rules can bypass access controls.'),
58
56
'default' => PhabricatorPolicies::POLICY_ADMIN,
-20
src/applications/herald/capability/HeraldCapabilityCreateRules.php
-20
src/applications/herald/capability/HeraldCapabilityCreateRules.php
···
1
-
<?php
2
-
3
-
final class HeraldCapabilityCreateRules
4
-
extends PhabricatorPolicyCapability {
5
-
6
-
const CAPABILITY = 'herald.create';
7
-
8
-
public function getCapabilityKey() {
9
-
return self::CAPABILITY;
10
-
}
11
-
12
-
public function getCapabilityName() {
13
-
return pht('Can Create Rules');
14
-
}
15
-
16
-
public function describeCapabilityRejection() {
17
-
return pht('You do not have permission to create new Herald rules.');
18
-
}
19
-
20
-
}
+1
-5
src/applications/herald/controller/HeraldController.php
+1
-5
src/applications/herald/controller/HeraldController.php
···
23
23
public function buildApplicationCrumbs() {
24
24
$crumbs = parent::buildApplicationCrumbs();
25
25
26
-
$can_create = $this->hasApplicationCapability(
27
-
HeraldCapabilityCreateRules::CAPABILITY);
28
-
29
26
$crumbs->addAction(
30
27
id(new PHUIListItemView())
31
28
->setName(pht('Create Herald Rule'))
32
29
->setHref($this->getApplicationURI('new/'))
33
-
->setIcon('create')
34
-
->setDisabled(!$can_create));
30
+
->setIcon('create'));
35
31
36
32
return $crumbs;
37
33
}
-3
src/applications/herald/controller/HeraldNewController.php
-3
src/applications/herald/controller/HeraldNewController.php
···
14
14
$request = $this->getRequest();
15
15
$user = $request->getUser();
16
16
17
-
$this->requireApplicationCapability(
18
-
HeraldCapabilityCreateRules::CAPABILITY);
19
-
20
17
$content_type_map = HeraldAdapter::getEnabledAdapterMap($user);
21
18
if (empty($content_type_map[$this->contentType])) {
22
19
$this->contentType = head_key($content_type_map);
-3
src/applications/herald/controller/HeraldRuleController.php
-3
src/applications/herald/controller/HeraldRuleController.php