Save authorPHID on Passphrase Credentials to support "Credential Author" object policy
Summary: Fixes T5135. Currently, when you create a credential, we default the policies to your PHID. This means we can't have an application-level configurable default because there's no way to select "the actor's PHID" as a policy. Start tracking the credential author's PHID and add an object policy for it, so there is such a setting. Then, add policy defaults. This mostly unblocks T6787. This obsoletes T6860. Test Plan: - Created a credential with "Credential Author" policy. - Verified I can see/edit it, but other users can not. - Changed default policies to something else. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5135 Differential Revision: https://secure.phabricator.com/D13385
This commit is contained in:
		
							
								
								
									
										2
									
								
								resources/sql/autopatches/20150621.phrase.1.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								resources/sql/autopatches/20150621.phrase.1.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | ||||
| ALTER TABLE {$NAMESPACE}_passphrase.passphrase_credential | ||||
|   ADD authorPHID VARBINARY(64) NOT NULL; | ||||
| @@ -1267,6 +1267,7 @@ phutil_register_library_map(array( | ||||
|     'PassphraseConduitAPIMethod' => 'applications/passphrase/conduit/PassphraseConduitAPIMethod.php', | ||||
|     'PassphraseController' => 'applications/passphrase/controller/PassphraseController.php', | ||||
|     'PassphraseCredential' => 'applications/passphrase/storage/PassphraseCredential.php', | ||||
|     'PassphraseCredentialAuthorPolicyRule' => 'applications/passphrase/policyrule/PassphraseCredentialAuthorPolicyRule.php', | ||||
|     'PassphraseCredentialConduitController' => 'applications/passphrase/controller/PassphraseCredentialConduitController.php', | ||||
|     'PassphraseCredentialControl' => 'applications/passphrase/view/PassphraseCredentialControl.php', | ||||
|     'PassphraseCredentialCreateController' => 'applications/passphrase/controller/PassphraseCredentialCreateController.php', | ||||
| @@ -1286,6 +1287,8 @@ phutil_register_library_map(array( | ||||
|     'PassphraseCredentialTypeTestCase' => 'applications/passphrase/credentialtype/__tests__/PassphraseCredentialTypeTestCase.php', | ||||
|     'PassphraseCredentialViewController' => 'applications/passphrase/controller/PassphraseCredentialViewController.php', | ||||
|     'PassphraseDAO' => 'applications/passphrase/storage/PassphraseDAO.php', | ||||
|     'PassphraseDefaultEditCapability' => 'applications/passphrase/capability/PassphraseDefaultEditCapability.php', | ||||
|     'PassphraseDefaultViewCapability' => 'applications/passphrase/capability/PassphraseDefaultViewCapability.php', | ||||
|     'PassphraseNoteCredentialType' => 'applications/passphrase/credentialtype/PassphraseNoteCredentialType.php', | ||||
|     'PassphrasePasswordCredentialType' => 'applications/passphrase/credentialtype/PassphrasePasswordCredentialType.php', | ||||
|     'PassphrasePasswordKey' => 'applications/passphrase/keys/PassphrasePasswordKey.php', | ||||
| @@ -4779,6 +4782,7 @@ phutil_register_library_map(array( | ||||
|       'PhabricatorPolicyInterface', | ||||
|       'PhabricatorDestructibleInterface', | ||||
|     ), | ||||
|     'PassphraseCredentialAuthorPolicyRule' => 'PhabricatorPolicyRule', | ||||
|     'PassphraseCredentialConduitController' => 'PassphraseController', | ||||
|     'PassphraseCredentialControl' => 'AphrontFormControl', | ||||
|     'PassphraseCredentialCreateController' => 'PassphraseController', | ||||
| @@ -4798,6 +4802,8 @@ phutil_register_library_map(array( | ||||
|     'PassphraseCredentialTypeTestCase' => 'PhabricatorTestCase', | ||||
|     'PassphraseCredentialViewController' => 'PassphraseController', | ||||
|     'PassphraseDAO' => 'PhabricatorLiskDAO', | ||||
|     'PassphraseDefaultEditCapability' => 'PhabricatorPolicyCapability', | ||||
|     'PassphraseDefaultViewCapability' => 'PhabricatorPolicyCapability', | ||||
|     'PassphraseNoteCredentialType' => 'PassphraseCredentialType', | ||||
|     'PassphrasePasswordCredentialType' => 'PassphraseCredentialType', | ||||
|     'PassphrasePasswordKey' => 'PassphraseAbstractKey', | ||||
|   | ||||
| @@ -63,4 +63,22 @@ final class PhabricatorPassphraseApplication extends PhabricatorApplication { | ||||
|     ); | ||||
|   } | ||||
|  | ||||
|   protected function getCustomCapabilities() { | ||||
|     $policy_key = id(new PassphraseCredentialAuthorPolicyRule()) | ||||
|       ->getObjectPolicyFullKey(); | ||||
|  | ||||
|     return array( | ||||
|       PassphraseDefaultViewCapability::CAPABILITY => array( | ||||
|         'caption' => pht('Default view policy for newly created credentials.'), | ||||
|         'template' => PassphraseCredentialPHIDType::TYPECONST, | ||||
|         'default' => $policy_key, | ||||
|       ), | ||||
|       PassphraseDefaultEditCapability::CAPABILITY => array( | ||||
|         'caption' => pht('Default edit policy for newly created credentials.'), | ||||
|         'template' => PassphraseCredentialPHIDType::TYPECONST, | ||||
|         'default' => $policy_key, | ||||
|       ), | ||||
|     ); | ||||
|   } | ||||
|  | ||||
| } | ||||
|   | ||||
| @@ -0,0 +1,12 @@ | ||||
| <?php | ||||
|  | ||||
| final class PassphraseDefaultEditCapability | ||||
|   extends PhabricatorPolicyCapability { | ||||
|  | ||||
|   const CAPABILITY = 'passphrase.default.edit'; | ||||
|  | ||||
|   public function getCapabilityName() { | ||||
|     return pht('Default Edit Policy'); | ||||
|   } | ||||
|  | ||||
| } | ||||
| @@ -0,0 +1,16 @@ | ||||
| <?php | ||||
|  | ||||
| final class PassphraseDefaultViewCapability | ||||
|   extends PhabricatorPolicyCapability { | ||||
|  | ||||
|   const CAPABILITY = 'passphrase.default.view'; | ||||
|  | ||||
|   public function getCapabilityName() { | ||||
|     return pht('Default View Policy'); | ||||
|   } | ||||
|  | ||||
|   public function shouldAllowPublicPolicySetting() { | ||||
|     return true; | ||||
|   } | ||||
|  | ||||
| } | ||||
| @@ -0,0 +1,48 @@ | ||||
| <?php | ||||
|  | ||||
| final class PassphraseCredentialAuthorPolicyRule | ||||
|   extends PhabricatorPolicyRule { | ||||
|  | ||||
|   public function getObjectPolicyKey() { | ||||
|     return 'passphrase.author'; | ||||
|   } | ||||
|  | ||||
|   public function getObjectPolicyName() { | ||||
|     return pht('Credential Author'); | ||||
|   } | ||||
|  | ||||
|   public function getPolicyExplanation() { | ||||
|     return pht('The author of this credential can take this action.'); | ||||
|   } | ||||
|  | ||||
|   public function getRuleDescription() { | ||||
|     return pht('credential author'); | ||||
|   } | ||||
|  | ||||
|   public function canApplyToObject(PhabricatorPolicyInterface $object) { | ||||
|     return ($object instanceof PassphraseCredential); | ||||
|   } | ||||
|  | ||||
|   public function applyRule( | ||||
|     PhabricatorUser $viewer, | ||||
|     $value, | ||||
|     PhabricatorPolicyInterface $object) { | ||||
|  | ||||
|     $author_phid = $object->getAuthorPHID(); | ||||
|     if (!$author_phid) { | ||||
|       return false; | ||||
|     } | ||||
|  | ||||
|     $viewer_phid = $viewer->getPHID(); | ||||
|     if (!$viewer_phid) { | ||||
|       return false; | ||||
|     } | ||||
|  | ||||
|     return ($viewer_phid == $author_phid); | ||||
|   } | ||||
|  | ||||
|   public function getValueControlType() { | ||||
|     return self::CONTROL_TYPE_NONE; | ||||
|   } | ||||
|  | ||||
| } | ||||
| @@ -17,17 +17,27 @@ final class PassphraseCredential extends PassphraseDAO | ||||
|   protected $isDestroyed; | ||||
|   protected $isLocked = 0; | ||||
|   protected $allowConduit = 0; | ||||
|   protected $authorPHID; | ||||
|  | ||||
|   private $secret = self::ATTACHABLE; | ||||
|  | ||||
|   public static function initializeNewCredential(PhabricatorUser $actor) { | ||||
|     $app = id(new PhabricatorApplicationQuery()) | ||||
|       ->setViewer($actor) | ||||
|       ->withClasses(array('PhabricatorPassphraseApplication')) | ||||
|       ->executeOne(); | ||||
|  | ||||
|     $view_policy = $app->getPolicy(PassphraseDefaultViewCapability::CAPABILITY); | ||||
|     $edit_policy = $app->getPolicy(PassphraseDefaultEditCapability::CAPABILITY); | ||||
|  | ||||
|     return id(new PassphraseCredential()) | ||||
|       ->setName('') | ||||
|       ->setUsername('') | ||||
|       ->setDescription('') | ||||
|       ->setIsDestroyed(0) | ||||
|       ->setViewPolicy($actor->getPHID()) | ||||
|       ->setEditPolicy($actor->getPHID()); | ||||
|       ->setAuthorPHID($actor->getPHID()) | ||||
|       ->setViewPolicy($view_policy) | ||||
|       ->setEditPolicy($edit_policy); | ||||
|   } | ||||
|  | ||||
|   public function getMonogram() { | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 epriestley
					epriestley