Add user omnipotence
Summary: Daemons (and probably a few other things) need to make queries without having a real user. Introduce a formal omnipotent user who can bypass any policy restriction. (I called this "ominpotent" rather than "omniscient" because it can bypass CAN_EDIT, CAN_JOIN, etc. "Omnicapable" might be a better word, but AFAIK is not a real word.) Test Plan: Unit tests. Reviewers: vrana, edward Reviewed By: edward CC: aran Maniphest Tasks: T603 Differential Revision: https://secure.phabricator.com/D5149
This commit is contained in:
epriestley
@@ -26,6 +26,7 @@ final class PhabricatorUser extends PhabricatorUserDAO implements PhutilPerson {
|
|||||||
protected $isDisabled = 0;
|
protected $isDisabled = 0;
|
||||||
|
|
||||||
private $preferences = null;
|
private $preferences = null;
|
||||||
|
private $omnipotent = false;
|
||||||
|
|
||||||
protected function readField($field) {
|
protected function readField($field) {
|
||||||
switch ($field) {
|
switch ($field) {
|
||||||
@@ -661,4 +662,35 @@ EOBODY;
|
|||||||
$email->getUserPHID());
|
$email->getUserPHID());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/* -( Omnipotence )-------------------------------------------------------- */
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns true if this user is omnipotent. Omnipotent users bypass all policy
|
||||||
|
* checks.
|
||||||
|
*
|
||||||
|
* @return bool True if the user bypasses policy checks.
|
||||||
|
*/
|
||||||
|
public function isOmnipotent() {
|
||||||
|
return $this->omnipotent;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get an omnipotent user object for use in contexts where there is no acting
|
||||||
|
* user, notably daemons.
|
||||||
|
*
|
||||||
|
* @return PhabricatorUser An omnipotent user.
|
||||||
|
*/
|
||||||
|
public static function getOmnipotentUser() {
|
||||||
|
static $user = null;
|
||||||
|
if (!$user) {
|
||||||
|
$user = new PhabricatorUser();
|
||||||
|
$user->omnipotent = true;
|
||||||
|
$user->makeEphemeral();
|
||||||
|
}
|
||||||
|
return $user;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -154,6 +154,24 @@ final class PhabricatorPolicyTestCase extends PhabricatorTestCase {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test that omnipotent users bypass policies.
|
||||||
|
*/
|
||||||
|
public function testOmnipotence() {
|
||||||
|
$results = array(
|
||||||
|
$this->buildObject(PhabricatorPolicies::POLICY_NOONE),
|
||||||
|
);
|
||||||
|
|
||||||
|
$query = new PhabricatorPolicyAwareTestQuery();
|
||||||
|
$query->setResults($results);
|
||||||
|
$query->setViewer(PhabricatorUser::getOmnipotentUser());
|
||||||
|
|
||||||
|
$this->assertEqual(
|
||||||
|
1,
|
||||||
|
count($query->execute()));
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Test an object for visibility across multiple user specifications.
|
* Test an object for visibility across multiple user specifications.
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -173,6 +173,10 @@ final class PhabricatorPolicyFilter {
|
|||||||
|
|
||||||
$viewer = $this->viewer;
|
$viewer = $this->viewer;
|
||||||
|
|
||||||
|
if ($viewer->isOmnipotent()) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
if ($object->hasAutomaticCapability($capability, $viewer)) {
|
if ($object->hasAutomaticCapability($capability, $viewer)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user