recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Allow "Can Configure Application" permissions to be configured

Summary:
Ref T13216. See PHI980. Currently, each application in {nav Applications > X > Configure} has a "Can Configure Application" permission which is hard-coded to "Administrators".

There's no technical reason for this, there just hasn't been a great use case for unlocking it. I think when I originally wrote it our protections against locking yourself out of things weren't that great (i.e., it was easier to set the policy to something that prevented you from editing it after the new policy took effect). Our protections are better now.

The major goal here is to let installs open up Custom Forms for given applications (mostly Maniphest) to more users, but the other options mostly go hand-in-hand with that.

Also, in developer mode, include stack traces for policy exceptions. This makes debugging weird stuff (like the indirect Config application errors here) easier.

Test Plan:
- Granted "Can Configure Application" for Maniphest to all users.
- Edited custom forms as a non-administrator.
- Configured Maniphest as a non-administrator.
- Installed/uninstalled Maniphest as a non-administrator.
- Tried to lock myself out (got an error message).

{F6015721}

Reviewers: amckinley, joshuaspence

Reviewed By: joshuaspence

Subscribers: joshuaspence

Maniphest Tasks: T13216

Differential Revision: https://secure.phabricator.com/D19822

epriestley 9481b9ef cb033673

+36 -6
+12
src/aphront/handler/PhabricatorPolicyRequestExceptionHandler.php
··· 83 83 $dialog->appendList($list); 84 84 } 85 85 86 + // If the install is in developer mode, include a stack trace for the 87 + // exception. When debugging things, it isn't always obvious where a 88 + // policy exception came from and this can make it easier to hunt down 89 + // bugs or improve ambiguous/confusing messaging. 90 + 91 + $is_developer = PhabricatorEnv::getEnvConfig('phabricator.developer-mode'); 92 + if ($is_developer) { 93 + $dialog->appendChild( 94 + id(new AphrontStackTraceView()) 95 + ->setTrace($throwable->getTrace())); 96 + } 97 + 86 98 if ($request->isAjax()) { 87 99 $dialog->addCancelButton('/', pht('Close')); 88 100 } else {
+1 -1
src/applications/base/PhabricatorApplication.php
··· 545 545 case PhabricatorPolicyCapability::CAN_VIEW: 546 546 return $this->canUninstall(); 547 547 case PhabricatorPolicyCapability::CAN_EDIT: 548 - return false; 548 + return true; 549 549 default: 550 550 $spec = $this->getCustomCapabilitySpecification($capability); 551 551 return idx($spec, 'edit', true);
+6 -1
src/applications/config/editor/PhabricatorConfigEditor.php
··· 118 118 PhabricatorUser $user, 119 119 PhabricatorConfigEntry $config_entry, 120 120 $value, 121 - PhabricatorContentSource $source) { 121 + PhabricatorContentSource $source, 122 + $acting_as_phid = null) { 122 123 123 124 $xaction = id(new PhabricatorConfigTransaction()) 124 125 ->setTransactionType(PhabricatorConfigTransaction::TYPE_EDIT) ··· 132 133 ->setActor($user) 133 134 ->setContinueOnNoEffect(true) 134 135 ->setContentSource($source); 136 + 137 + if ($acting_as_phid) { 138 + $editor->setActingAsPHID($acting_as_phid); 139 + } 135 140 136 141 $editor->applyTransactions($config_entry, array($xaction)); 137 142 }
+11 -2
src/applications/meta/xactions/PhabricatorApplicationPolicyChangeTransaction.php
··· 35 35 36 36 $editor = $this->getEditor(); 37 37 $content_source = $editor->getContentSource(); 38 + 39 + // NOTE: We allow applications to have custom edit policies, but they are 40 + // currently stored in the Config application. The ability to edit Config 41 + // values is always restricted to administrators, today. Empower this 42 + // particular edit to punch through possible stricter policies, so normal 43 + // users can change application configuration if the application allows 44 + // them to do so. 45 + 38 46 PhabricatorConfigEditor::storeNewValue( 39 - $user, 47 + PhabricatorUser::getOmnipotentUser(), 40 48 $config_entry, 41 49 $current_value, 42 - $content_source); 50 + $content_source, 51 + $user->getPHID()); 43 52 } 44 53 45 54 public function getTitle() {
+6 -2
src/applications/meta/xactions/PhabricatorApplicationUninstallTransaction.php
··· 43 43 44 44 $editor = $this->getEditor(); 45 45 $content_source = $editor->getContentSource(); 46 + 47 + // Today, changing config requires "Administrator", but "Can Edit" on 48 + // applications to let you uninstall them may be granted to any user. 46 49 PhabricatorConfigEditor::storeNewValue( 47 - $user, 50 + PhabricatorUser::getOmnipotentUser(), 48 51 $config_entry, 49 52 $list, 50 - $content_source); 53 + $content_source, 54 + $user->getPHID()); 51 55 } 52 56 53 57 public function getTitle() {