@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
People - add application policy on user creation
Summary: Ref T6947.
Test Plan: made the setting say only admin user a and noted admin user b lost access
Reviewers: epriestley
Reviewed By: epriestley
Subscribers: Korvin, epriestley
Maniphest Tasks: T4137, T6947
Differential Revision: https://secure.phabricator.com/D11357
+40
-22
+2
src/__phutil_library_map__.php
+2
src/__phutil_library_map__.php
···
1224
1224
'PasteQueryConduitAPIMethod' => 'applications/paste/conduit/PasteQueryConduitAPIMethod.php',
1225
1225
'PasteReplyHandler' => 'applications/paste/mail/PasteReplyHandler.php',
1226
1226
'PeopleBrowseUserDirectoryCapability' => 'applications/people/capability/PeopleBrowseUserDirectoryCapability.php',
1227
+
'PeopleCreateUsersCapability' => 'applications/people/capability/PeopleCreateUsersCapability.php',
1227
1228
'PeopleUserLogGarbageCollector' => 'applications/people/garbagecollector/PeopleUserLogGarbageCollector.php',
1228
1229
'Phabricator404Controller' => 'applications/base/controller/Phabricator404Controller.php',
1229
1230
'PhabricatorAPCSetupCheck' => 'applications/config/check/PhabricatorAPCSetupCheck.php',
···
4382
4383
'PasteQueryConduitAPIMethod' => 'PasteConduitAPIMethod',
4383
4384
'PasteReplyHandler' => 'PhabricatorMailReplyHandler',
4384
4385
'PeopleBrowseUserDirectoryCapability' => 'PhabricatorPolicyCapability',
4386
+
'PeopleCreateUsersCapability' => 'PhabricatorPolicyCapability',
4385
4387
'PeopleUserLogGarbageCollector' => 'PhabricatorGarbageCollector',
4386
4388
'Phabricator404Controller' => 'PhabricatorController',
4387
4389
'PhabricatorAPCSetupCheck' => 'PhabricatorSetupCheck',
+3
src/applications/people/application/PhabricatorPeopleApplication.php
+3
src/applications/people/application/PhabricatorPeopleApplication.php
+16
src/applications/people/capability/PeopleCreateUsersCapability.php
+16
src/applications/people/capability/PeopleCreateUsersCapability.php
···
1
+
<?php
2
+
3
+
final class PeopleCreateUsersCapability
4
+
extends PhabricatorPolicyCapability {
5
+
6
+
const CAPABILITY = 'people.create.users';
7
+
8
+
public function getCapabilityName() {
9
+
return pht('Can Create Users');
10
+
}
11
+
12
+
public function describeCapabilityRejection() {
13
+
return pht('You do not have permission to create users.');
14
+
}
15
+
16
+
}
+8
-7
src/applications/people/controller/PhabricatorPeopleController.php
+8
-7
src/applications/people/controller/PhabricatorPeopleController.php
···
37
37
38
38
$viewer = $this->getRequest()->getUser();
39
39
40
-
if ($viewer->getIsAdmin()) {
41
-
$crumbs->addAction(
42
-
id(new PHUIListItemView())
43
-
->setName(pht('Create New User'))
44
-
->setHref($this->getApplicationURI('create/'))
45
-
->setIcon('fa-plus-square'));
46
-
}
40
+
$can_create = $this->hasApplicationCapability(
41
+
PeopleCreateUsersCapability::CAPABILITY);
42
+
$crumbs->addAction(
43
+
id(new PHUIListItemView())
44
+
->setName(pht('Create New User'))
45
+
->setHref($this->getApplicationURI('create/'))
46
+
->setDisabled(!$can_create)
47
+
->setIcon('fa-plus-square'));
47
48
48
49
return $crumbs;
49
50
}
+3
-2
src/applications/people/controller/PhabricatorPeopleCreateController.php
+3
-2
src/applications/people/controller/PhabricatorPeopleCreateController.php
···
3
3
final class PhabricatorPeopleCreateController
4
4
extends PhabricatorPeopleController {
5
5
6
-
public function processRequest() {
7
-
$request = $this->getRequest();
6
+
public function handleRequest(AphrontRequest $request) {
7
+
$this->requireApplicationCapability(
8
+
PeopleCreateUsersCapability::CAPABILITY);
8
9
$admin = $request->getUser();
9
10
10
11
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+3
-3
src/applications/people/controller/PhabricatorPeopleLdapController.php
+3
-3
src/applications/people/controller/PhabricatorPeopleLdapController.php
···
3
3
final class PhabricatorPeopleLdapController
4
4
extends PhabricatorPeopleController {
5
5
6
-
public function processRequest() {
7
-
8
-
$request = $this->getRequest();
6
+
public function handleRequest(AphrontRequest $request) {
7
+
$this->requireApplicationCapability(
8
+
PeopleCreateUsersCapability::CAPABILITY);
9
9
$admin = $request->getUser();
10
10
11
11
$content = array();
+5
-10
src/applications/people/controller/PhabricatorPeopleNewController.php
+5
-10
src/applications/people/controller/PhabricatorPeopleNewController.php
···
3
3
final class PhabricatorPeopleNewController
4
4
extends PhabricatorPeopleController {
5
5
6
-
private $type;
7
-
8
-
public function willProcessRequest(array $data) {
9
-
$this->type = $data['type'];
10
-
}
11
-
12
-
public function processRequest() {
13
-
$request = $this->getRequest();
6
+
public function handleRequest(AphrontRequest $request) {
7
+
$this->requireApplicationCapability(
8
+
PeopleCreateUsersCapability::CAPABILITY);
9
+
$type = $request->getURIData('type');
14
10
$admin = $request->getUser();
15
11
16
-
switch ($this->type) {
12
+
switch ($type) {
17
13
case 'standard':
18
14
$is_bot = false;
19
15
break;
···
36
32
37
33
$new_email = null;
38
34
39
-
$request = $this->getRequest();
40
35
if ($request->isFormPost()) {
41
36
$welcome_checked = $request->getInt('welcome');
42
37