From 32edb7e2bbe8b332e8a50bd7671cd221a4dd1cd4 Mon Sep 17 00:00:00 2001
From: Bob Trahan <btrahan@phacility.com>
Date: Tue, 13 Jan 2015 12:03:11 -0800
Subject: [PATCH] Followup from D11358#106424 and make policy.locked fully work

Summary: Fast commit. Also forgot to make the config override the existing policy. I *think* this is the right spot and we're good? Ref T6947.

Test Plan: viewed the application settings page for people application and saw the correct overrode setting.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T6947

Differential Revision: https://secure.phabricator.com/D11373
---
 src/applications/base/PhabricatorApplication.php             | 5 +++++
 .../meta/controller/PhabricatorApplicationEditController.php | 5 ++---
 .../policy/config/PhabricatorPolicyConfigOptions.php         | 1 +
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/applications/base/PhabricatorApplication.php b/src/applications/base/PhabricatorApplication.php
index 43f39cd500..fdded7fd25 100644
--- a/src/applications/base/PhabricatorApplication.php
+++ b/src/applications/base/PhabricatorApplication.php
@@ -454,6 +454,11 @@ abstract class PhabricatorApplication implements PhabricatorPolicyInterface {
       return null;
     }
 
+    $policy_locked = PhabricatorEnv::getEnvConfig('policy.locked');
+    if (isset($policy_locked[$capability])) {
+      return $policy_locked[$capability];
+    }
+
     return idx($policy, $capability);
   }
 
diff --git a/src/applications/meta/controller/PhabricatorApplicationEditController.php b/src/applications/meta/controller/PhabricatorApplicationEditController.php
index fa630d71ec..b29d33b7ce 100644
--- a/src/applications/meta/controller/PhabricatorApplicationEditController.php
+++ b/src/applications/meta/controller/PhabricatorApplicationEditController.php
@@ -115,11 +115,10 @@ final class PhabricatorApplicationEditController
       ->setUser($user);
 
     $locked_policies = PhabricatorEnv::getEnvConfig('policy.locked');
-    $locked_map = array_fill_keys($locked_policies, true);
     foreach ($application->getCapabilities() as $capability) {
       $label = $application->getCapabilityLabel($capability);
       $can_edit = $application->isCapabilityEditable($capability);
-      $locked = idx($locked_map, $capability);
+      $locked = idx($locked_policies, $capability);
       $caption = $application->getCapabilityCaption($capability);
 
       if (!$can_edit || $locked) {
@@ -132,7 +131,7 @@ final class PhabricatorApplicationEditController
         $form->appendChild(
           id(new AphrontFormPolicyControl())
           ->setUser($user)
-          ->setDisabled(idx($locked_map, $capability))
+          ->setDisabled($locked)
           ->setCapability($capability)
           ->setPolicyObject($application)
           ->setPolicies($policies)
diff --git a/src/applications/policy/config/PhabricatorPolicyConfigOptions.php b/src/applications/policy/config/PhabricatorPolicyConfigOptions.php
index 1f34822a32..9af77c525d 100644
--- a/src/applications/policy/config/PhabricatorPolicyConfigOptions.php
+++ b/src/applications/policy/config/PhabricatorPolicyConfigOptions.php
@@ -46,6 +46,7 @@ final class PhabricatorPolicyConfigOptions
             "available, and the most open policy is 'All Users' (which means ".
             "users must have accounts and be logged in to view things).")),
       $this->newOption('policy.locked', $policy_locked_type, array())
+        ->setLocked(true)
         ->setSummary(pht(
           'Lock specific application policies so they can not be edited.'))
         ->setDescription(pht(