recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Add Diffusion policy capability "Can Edit and View Identities"

Summary:
Make it possible not to allow anyone to edit Diffusion identities.
Make it possible not to allow anyone to view other users' email addresses.

Closes T15443

Test Plan:
* As an admin, go to `/applications/view/PhabricatorDiffusionApplication/` and see new policy "Can Edit and View Identities" set to "All Users" (as implicitly before)
* As an admin, go to `/applications/view/PhabricatorDiffusionApplication/` and change "Can Edit and View Identities" from "All Users" to "Administrators"
* As a non-admin, go to `/diffusion/identity/` and try to select the disabled "Create Identity" button; get an error message clicking it due to lack of permissions
* Given there is at least one identity defined, as a non-admin, go directly to `/diffusion/identity/view/1/` and get "You do not have permission to view this object."
* Given there is at least one identity defined, as a non-admin, go directly to `/diffusion/identity/edit/1/` and get "You do not have permission to view this object."
* As a non-admin, go directly to `/diffusion/identity/edit/form/default/` and get "You do not have permission to edit this object."
* As a non-admin, go directly to `/diffusion/identity/` and get "No Identities found." instead of seeing the existing identities listed.
* As an admin, go to `/diffusion/identity/` and still see the existing identities listed.
* As an admin, go to `/diffusion/identity/`, select "Create Identity" to go to `/diffusion/identity/edit/` and see the "Create Identity" page (though broken; see T15453)
* As an admin, go to `/diffusion/identity/view/1/` and still see the existing identity.
* As an admin, go to `/diffusion/identity/edit/1/` and successfully edit the existing identity.

Reviewers: O1 Blessed Committers, speck, valerio.bozzolan

Reviewed By: O1 Blessed Committers, speck, valerio.bozzolan

Subscribers: speck, tobiaswiese, valerio.bozzolan, Matthew, Cigaryno

Maniphest Tasks: T15443

Differential Revision: https://we.phorge.it/D25450

Andre Klapper 90f651d6 c97a5047

+27 -2
+2
src/__phutil_library_map__.php
··· 4628 4628 'PhabricatorRepositoryIdentityAssignTransaction' => 'applications/repository/xaction/PhabricatorRepositoryIdentityAssignTransaction.php', 4629 4629 'PhabricatorRepositoryIdentityChangeWorker' => 'applications/repository/worker/PhabricatorRepositoryIdentityChangeWorker.php', 4630 4630 'PhabricatorRepositoryIdentityEditEngine' => 'applications/repository/engine/PhabricatorRepositoryIdentityEditEngine.php', 4631 + 'PhabricatorRepositoryIdentityEditViewCapability' => 'applications/repository/capability/PhabricatorRepositoryIdentityEditViewCapability.php', 4631 4632 'PhabricatorRepositoryIdentityFerretEngine' => 'applications/repository/search/PhabricatorRepositoryIdentityFerretEngine.php', 4632 4633 'PhabricatorRepositoryIdentityPHIDType' => 'applications/repository/phid/PhabricatorRepositoryIdentityPHIDType.php', 4633 4634 'PhabricatorRepositoryIdentityQuery' => 'applications/repository/query/PhabricatorRepositoryIdentityQuery.php', ··· 11325 11326 'PhabricatorRepositoryIdentityAssignTransaction' => 'PhabricatorRepositoryIdentityTransactionType', 11326 11327 'PhabricatorRepositoryIdentityChangeWorker' => 'PhabricatorWorker', 11327 11328 'PhabricatorRepositoryIdentityEditEngine' => 'PhabricatorEditEngine', 11329 + 'PhabricatorRepositoryIdentityEditViewCapability' => 'PhabricatorPolicyCapability', 11328 11330 'PhabricatorRepositoryIdentityFerretEngine' => 'PhabricatorFerretEngine', 11329 11331 'PhabricatorRepositoryIdentityPHIDType' => 'PhabricatorPHIDType', 11330 11332 'PhabricatorRepositoryIdentityQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',
+3
src/applications/diffusion/application/PhabricatorDiffusionApplication.php
··· 183 183 DiffusionCreateRepositoriesCapability::CAPABILITY => array( 184 184 'default' => PhabricatorPolicies::POLICY_ADMIN, 185 185 ), 186 + PhabricatorRepositoryIdentityEditViewCapability::CAPABILITY => array( 187 + 'default' => PhabricatorPolicies::POLICY_USER, 188 + ), 186 189 ); 187 190 } 188 191
+16
src/applications/repository/capability/PhabricatorRepositoryIdentityEditViewCapability.php
··· 1 + <?php 2 + 3 + final class PhabricatorRepositoryIdentityEditViewCapability 4 + extends PhabricatorPolicyCapability { 5 + 6 + const CAPABILITY = 'repository.identity.create'; 7 + 8 + public function getCapabilityName() { 9 + return pht('Can Edit and View Identities'); 10 + } 11 + 12 + public function describeCapabilityRejection() { 13 + return pht('You do not have permission to create or edit identities.'); 14 + } 15 + 16 + }
+2 -1
src/applications/repository/engine/PhabricatorRepositoryIdentityEditEngine.php
··· 70 70 } 71 71 72 72 protected function getCreateNewObjectPolicy() { 73 - return PhabricatorPolicies::POLICY_USER; 73 + return $this->getApplication()->getPolicy( 74 + PhabricatorRepositoryIdentityEditViewCapability::CAPABILITY); 74 75 } 75 76 76 77 protected function buildCustomEditFields($object) {
+4 -1
src/applications/repository/storage/PhabricatorRepositoryIdentity.php
··· 142 142 } 143 143 144 144 public function getPolicy($capability) { 145 - return PhabricatorPolicies::getMostOpenPolicy(); 145 + $app = PhabricatorApplication::getByClass( 146 + 'PhabricatorDiffusionApplication'); 147 + return $app->getPolicy( 148 + PhabricatorRepositoryIdentityEditViewCapability::CAPABILITY); 146 149 } 147 150 148 151 public function hasAutomaticCapability(