recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Make HeraldRule implement PhabricatorPolicyInterface

Summary:
Ref T603. Ref T2769. Herald currently interacts with policies in a bad way; specifically, I can create a rule which emails me for everything, and thus learn about objects I can't otherwise see.

This shouldn't be possible, so I'm going to reduce personal rules to have only the viewer's scope.

For global rules, I think I'm always going to let any user edit them, but make who the rule acts as part of the configuration. There will be an option to make a rule omnipotent, but only admins (or some other special subset of users) will be able to select it.

Transactions/subscriptions will provide a check against users editing global rules in ways that are bad.

Test Plan: Next diffs.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603, T2769

Differential Revision: https://secure.phabricator.com/D6649

epriestley 8eed5b1f 2820fdc8

+42 -2
+5 -1
src/__phutil_library_map__.php
··· 2624 2624 'HeraldNewController' => 'HeraldController', 2625 2625 'HeraldPHIDTypeRule' => 'PhabricatorPHIDType', 2626 2626 'HeraldRecursiveConditionsException' => 'Exception', 2627 - 'HeraldRule' => 'HeraldDAO', 2627 + 'HeraldRule' => 2628 + array( 2629 + 0 => 'HeraldDAO', 2630 + 1 => 'PhabricatorPolicyInterface', 2631 + ), 2628 2632 'HeraldRuleController' => 'HeraldController', 2629 2633 'HeraldRuleEdit' => 'HeraldDAO', 2630 2634 'HeraldRuleEditHistoryController' => 'HeraldController',
+37 -1
src/applications/herald/storage/HeraldRule.php
··· 1 1 <?php 2 2 3 - final class HeraldRule extends HeraldDAO { 3 + final class HeraldRule extends HeraldDAO 4 + implements PhabricatorPolicyInterface { 4 5 5 6 const TABLE_RULE_APPLIED = 'herald_ruleapplied'; 6 7 ··· 230 231 231 232 public function hasInvalidOwner() { 232 233 return $this->invalidOwner; 234 + } 235 + 236 + public function isGlobalRule() { 237 + return ($this->getRuleType() === HeraldRuleTypeConfig::RULE_TYPE_GLOBAL); 238 + } 239 + 240 + public function isPersonalRule() { 241 + return ($this->getRuleType() === HeraldRuleTypeConfig::RULE_TYPE_PERSONAL); 242 + } 243 + 244 + 245 + /* -( PhabricatorPolicyInterface )----------------------------------------- */ 246 + 247 + 248 + public function getCapabilities() { 249 + return array( 250 + PhabricatorPolicyCapability::CAN_VIEW, 251 + PhabricatorPolicyCapability::CAN_EDIT, 252 + ); 253 + } 254 + 255 + public function getPolicy($capability) { 256 + if ($this->isGlobalRule()) { 257 + return PhabricatorPolicies::POLICY_USER; 258 + } else { 259 + return PhabricatorPolicies::POLICY_NOONE; 260 + } 261 + } 262 + 263 + public function hasAutomaticCapability($capability, PhabricatorUser $viewer) { 264 + if ($this->isPersonalRule()) { 265 + return ($viewer->getPHID() == $this->getAuthorPHID()); 266 + } else { 267 + return false; 268 + } 233 269 } 234 270 235 271 }