No OneTemporary
Actions

Size

37 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/src/applications/policy/controller/PhabricatorPolicyExplainController.php b/src/applications/policy/controller/PhabricatorPolicyExplainController.php
	index a4ba355b16..8b41ef7357 100644
	--- a/src/applications/policy/controller/PhabricatorPolicyExplainController.php
	+++ b/src/applications/policy/controller/PhabricatorPolicyExplainController.php
	@@ -1,348 +1,348 @@
	<?php

	final class PhabricatorPolicyExplainController
	extends PhabricatorPolicyController {

	public function shouldAllowPublic() {
	return true;
	}

	public function handleRequest(AphrontRequest $request) {
	$viewer = $this->getViewer();

	$phid = $request->getURIData('phid');
	$capability = $request->getURIData('capability');

	$object = id(new PhabricatorObjectQuery())
	->setViewer($viewer)
	->withPHIDs(array($phid))
	->executeOne();
	if (!$object) {
	return new Aphront404Response();
	}

	$policies = PhabricatorPolicyQuery::loadPolicies(
	$viewer,
	$object);

	$policy = idx($policies, $capability);
	if (!$policy) {
	return new Aphront404Response();
	}

	$handle = id(new PhabricatorHandleQuery())
	->setViewer($viewer)
	->withPHIDs(array($phid))
	->executeOne();

	$object_name = $handle->getName();
	$object_uri = nonempty($handle->getURI(), '/');

	$dialog = id(new AphrontDialogView())
	->setUser($viewer)
	->setClass('aphront-access-dialog aphront-policy-explain-dialog')
	->setTitle(pht('Policy Details: %s', $object_name))
	->addCancelButton($object_uri, pht('Done'));

	$space_section = $this->buildSpaceSection(
	$object,
	$policy,
	$capability);

	$extended_section = $this->buildExtendedSection(
	$object,
	$capability);

	$exceptions_section = $this->buildExceptionsSection(
	$object,
	$capability);

	$object_section = $this->buildObjectSection(
	$object,
	$policy,
	$capability,
	$handle);

	$dialog->appendChild(
	array(
	$space_section,
	$extended_section,
	$exceptions_section,
	$object_section,
	));


	return $dialog;
	}

	private function buildSpaceSection(
	PhabricatorPolicyInterface $object,
	PhabricatorPolicy $policy,
	$capability) {
	$viewer = $this->getViewer();

	if (!($object instanceof PhabricatorSpacesInterface)) {
	return null;
	}

	if (!PhabricatorSpacesNamespaceQuery::getSpacesExist()) {
	return null;
	}

	$space_phid = PhabricatorSpacesNamespaceQuery::getObjectSpacePHID(
	$object);

	$spaces = PhabricatorSpacesNamespaceQuery::getViewerSpaces($viewer);
	$space = idx($spaces, $space_phid);
	if (!$space) {
	return null;
	}

	$space_policies = PhabricatorPolicyQuery::loadPolicies($viewer, $space);
	$space_policy = idx($space_policies, PhabricatorPolicyCapability::CAN_VIEW);
	if (!$space_policy) {
	return null;
	}

	$doc_href = PhabricatorEnv::getDoclink('Spaces User Guide');
	$capability_name = $this->getCapabilityName($capability);

	$space_section = id(new PHUIPolicySectionView())
	->setViewer($viewer)
	->setIcon('fa-th-large bluegrey')
	->setHeader(pht('Space'))
	->setDocumentationLink(pht('Spaces Documentation'), $doc_href)
	->appendList(
	array(
	array(
	phutil_tag('strong', array(), pht('Space:')),
	' ',
	$viewer->renderHandle($space_phid)->setAsTag(true),
	),
	array(
	phutil_tag('strong', array(), pht('%s:', $capability_name)),
	' ',
	$space_policy->getShortName(),
	),
	))
	->appendParagraph(
	pht(
	'This object is in %s and can only be seen or edited by users '.
	'with access to view objects in the space.',
	$viewer->renderHandle($space_phid)));

	$space_explanation = PhabricatorPolicy::getPolicyExplanation(
	$viewer,
	$space_policy->getPHID());
	$items = array();
	$items[] = $space_explanation;

	$space_section
	->appendParagraph(pht('Users who can see objects in this space:'))
	->appendList($items);

	$view_capability = PhabricatorPolicyCapability::CAN_VIEW;
	if ($capability == $view_capability) {
	$stronger = $space_policy->isStrongerThan($policy);
	if ($stronger) {
	$space_section->appendHint(
	pht(
	'The space this object is in has a more restrictive view '.
	'policy ("%s") than the object does ("%s"), so the space\'s '.
	'view policy is shown as a hint instead of the object policy.',
	$space_policy->getShortName(),
	$policy->getShortName()));
	}
	}

	$space_section->appendHint(
	pht(
	'After a user passes space policy checks, they must still pass '.
	'object policy checks.'));

	return $space_section;
	}

	private function getStrengthInformation(
	PhabricatorPolicyInterface $object,
	PhabricatorPolicy $policy,
	$capability) {
	$viewer = $this->getViewer();


	$strength = null;
	if ($object instanceof PhabricatorPolicyCodexInterface) {
	$codex = id(PhabricatorPolicyCodex::newFromObject($object, $viewer))
	->setCapability($capability);
	$strength = $codex->compareToDefaultPolicy($policy);
	$default_policy = $codex->getDefaultPolicy();
	} else {
	$default_policy = PhabricatorPolicyQuery::getDefaultPolicyForObject(
	$viewer,
	$object,
	$capability);

	if ($default_policy) {
	if ($default_policy->getPHID() == $policy->getPHID()) {
	return;
	}

	if ($default_policy->getPHID() != $policy->getPHID()) {
	if ($default_policy->isStrongerThan($policy)) {
	$strength = PhabricatorPolicyStrengthConstants::WEAKER;
	} else if ($policy->isStrongerThan($default_policy)) {
	$strength = PhabricatorPolicyStrengthConstants::STRONGER;
	} else {
	$strength = PhabricatorPolicyStrengthConstants::ADJUSTED;
	}
	}
	}
	}

	if (!$strength) {
	return;
	}

	if ($strength == PhabricatorPolicyStrengthConstants::WEAKER) {
	$info = pht(
	'This object has a less restrictive policy ("%s") than the default '.
	'policy for similar objects (which is "%s").',
	$policy->getShortName(),
	$default_policy->getShortName());
	} else if ($strength == PhabricatorPolicyStrengthConstants::STRONGER) {
	$info = pht(
	'This object has a more restrictive policy ("%s") than the default '.
	'policy for similar objects (which is "%s").',
	$policy->getShortName(),
	$default_policy->getShortName());
	} else {
	$info = pht(
	'This object has a different policy ("%s") than the default policy '.
	'for similar objects (which is "%s").',
	$policy->getShortName(),
	$default_policy->getShortName());
	}

	return $info;
	}

	private function getCapabilityName($capability) {
	$capability_name = $capability;
	$capobj = PhabricatorPolicyCapability::getCapabilityByKey($capability);
	if ($capobj) {
	$capability_name = $capobj->getCapabilityName();
	}

	return $capability_name;
	}

	private function buildExtendedSection(
	PhabricatorPolicyInterface $object,
	$capability) {
	$viewer = $this->getViewer();

	if (!($object instanceof PhabricatorExtendedPolicyInterface)) {
	return null;
	}

	$extended_rules = $object->getExtendedPolicy($capability, $viewer);
	if (!$extended_rules) {
	return null;
	}

	$items = array();
	foreach ($extended_rules as $extended_rule) {
	$extended_target = $extended_rule[0];
	$extended_capabilities = (array)$extended_rule[1];
	if (is_object($extended_target)) {
	$extended_target = $extended_target->getPHID();
	}

	foreach ($extended_capabilities as $extended_capability) {
	$ex_name = $this->getCapabilityName($extended_capability);
	$items[] = array(
	phutil_tag('strong', array(), pht('%s:', $ex_name)),
	' ',
	$viewer->renderHandle($extended_target)->setAsTag(true),
	);
	}
	}

	return id(new PHUIPolicySectionView())
	->setViewer($viewer)
	->setIcon('fa-link')
	->setHeader(pht('Required Capabilities on Other Objects'))
	->appendParagraph(
	pht(
	'To access this object, users must have first have access '.
	'capabilities on these other objects:'))
	->appendList($items);
	}

	private function buildExceptionsSection(
	PhabricatorPolicyInterface $object,
	$capability) {
	$viewer = $this->getViewer();

	$exceptions = PhabricatorPolicy::getSpecialRules(
	$object,
	$viewer,
	$capability,
	false);

	if (!$exceptions) {
	return null;
	}

	return id(new PHUIPolicySectionView())
	->setViewer($viewer)
	->setIcon('fa-unlock-alt red')
	->setHeader(pht('Special Rules'))
	->appendParagraph(
	pht(
	'This object has special rules which override normal object '.
	'policy rules:'))
	->appendList($exceptions);
	}

	private function buildObjectSection(
	PhabricatorPolicyInterface $object,
	PhabricatorPolicy $policy,
	$capability,
	PhabricatorObjectHandle $handle) {

	$viewer = $this->getViewer();
	$capability_name = $this->getCapabilityName($capability);

	$object_section = id(new PHUIPolicySectionView())
	->setViewer($viewer)
	->setIcon($handle->getIcon().' bluegrey')
	->setHeader(pht('Object Policy'))
	->appendList(
	array(
	array(
	phutil_tag('strong', array(), pht('%s:', $capability_name)),
	' ',
	$policy->getShortName(),
	),
	))
	->appendParagraph(
	pht(
	'In detail, this means that these users can take this action, '.
	'provided they pass all of the checks described above first:'))
	->appendList(
	array(
	PhabricatorPolicy::getPolicyExplanation(
	- $viewer,
	- $policy->getPHID()),
	+ $viewer,
	+ $policy->getPHID()),
	));

	$strength = $this->getStrengthInformation($object, $policy, $capability);
	if ($strength) {
	$object_section->appendHint($strength);
	}

	return $object_section;
	}

	}
	diff --git a/src/applications/policy/query/PhabricatorPolicyQuery.php b/src/applications/policy/query/PhabricatorPolicyQuery.php
	index e51b2ca401..3337a912b0 100644
	--- a/src/applications/policy/query/PhabricatorPolicyQuery.php
	+++ b/src/applications/policy/query/PhabricatorPolicyQuery.php
	@@ -1,428 +1,427 @@
	<?php

	final class PhabricatorPolicyQuery
	extends PhabricatorCursorPagedPolicyAwareQuery {

	private $object;
	private $phids;

	const OBJECT_POLICY_PREFIX = 'obj.';

	public function setObject(PhabricatorPolicyInterface $object) {
	$this->object = $object;
	return $this;
	}

	public function withPHIDs(array $phids) {
	$this->phids = $phids;
	return $this;
	}

	public static function loadPolicies(
	PhabricatorUser $viewer,
	PhabricatorPolicyInterface $object) {

	$results = array();

	$map = array();
	foreach ($object->getCapabilities() as $capability) {
	$map[$capability] = $object->getPolicy($capability);
	}

	$policies = id(new PhabricatorPolicyQuery())
	->setViewer($viewer)
	->withPHIDs($map)
	->execute();

	foreach ($map as $capability => $phid) {
	$results[$capability] = $policies[$phid];
	}

	return $results;
	}

	public static function renderPolicyDescriptions(
	PhabricatorUser $viewer,
	- PhabricatorPolicyInterface $object,
	- $icon = false) {
	+ PhabricatorPolicyInterface $object) {

	$policies = self::loadPolicies($viewer, $object);

	foreach ($policies as $capability => $policy) {
	- $policies[$capability] = $policy->renderDescription($icon);
	+ $policies[$capability] = $policy->renderDescription();
	}

	return $policies;
	}

	protected function loadPage() {
	if ($this->object && $this->phids) {
	throw new Exception(
	pht(
	'You can not issue a policy query with both %s and %s.',
	'setObject()',
	'setPHIDs()'));
	} else if ($this->object) {
	$phids = $this->loadObjectPolicyPHIDs();
	} else {
	$phids = $this->phids;
	}

	$phids = array_fuse($phids);

	$results = array();

	// First, load global policies.
	foreach (self::getGlobalPolicies() as $phid => $policy) {
	if (isset($phids[$phid])) {
	$results[$phid] = $policy;
	unset($phids[$phid]);
	}
	}

	// Now, load object policies.
	foreach (self::getObjectPolicies($this->object) as $phid => $policy) {
	if (isset($phids[$phid])) {
	$results[$phid] = $policy;
	unset($phids[$phid]);
	}
	}

	// If we still need policies, we're going to have to fetch data. Bucket
	// the remaining policies into rule-based policies and handle-based
	// policies.
	if ($phids) {
	$rule_policies = array();
	$handle_policies = array();
	foreach ($phids as $phid) {
	$phid_type = phid_get_type($phid);
	if ($phid_type == PhabricatorPolicyPHIDTypePolicy::TYPECONST) {
	$rule_policies[$phid] = $phid;
	} else {
	$handle_policies[$phid] = $phid;
	}
	}

	if ($handle_policies) {
	$handles = id(new PhabricatorHandleQuery())
	->setViewer($this->getViewer())
	->withPHIDs($handle_policies)
	->execute();
	foreach ($handle_policies as $phid) {
	$results[$phid] = PhabricatorPolicy::newFromPolicyAndHandle(
	$phid,
	$handles[$phid]);
	}
	}

	if ($rule_policies) {
	$rules = id(new PhabricatorPolicy())->loadAllWhere(
	'phid IN (%Ls)',
	$rule_policies);
	$results += mpull($rules, null, 'getPHID');
	}
	}

	$results = msort($results, 'getSortKey');

	return $results;
	}

	public static function isGlobalPolicy($policy) {
	$global_policies = self::getGlobalPolicies();

	if (isset($global_policies[$policy])) {
	return true;
	}

	return false;
	}

	public static function getGlobalPolicy($policy) {
	if (!self::isGlobalPolicy($policy)) {
	throw new Exception(pht("Policy '%s' is not a global policy!", $policy));
	}
	return idx(self::getGlobalPolicies(), $policy);
	}

	private static function getGlobalPolicies() {
	static $constants = array(
	PhabricatorPolicies::POLICY_PUBLIC,
	PhabricatorPolicies::POLICY_USER,
	PhabricatorPolicies::POLICY_ADMIN,
	PhabricatorPolicies::POLICY_NOONE,
	);

	$results = array();
	foreach ($constants as $constant) {
	$results[$constant] = id(new PhabricatorPolicy())
	->setType(PhabricatorPolicyType::TYPE_GLOBAL)
	->setPHID($constant)
	->setName(self::getGlobalPolicyName($constant))
	->setShortName(self::getGlobalPolicyShortName($constant))
	->makeEphemeral();
	}

	return $results;
	}

	private static function getGlobalPolicyName($policy) {
	switch ($policy) {
	case PhabricatorPolicies::POLICY_PUBLIC:
	return pht('Public (No Login Required)');
	case PhabricatorPolicies::POLICY_USER:
	return pht('All Users');
	case PhabricatorPolicies::POLICY_ADMIN:
	return pht('Administrators');
	case PhabricatorPolicies::POLICY_NOONE:
	return pht('No One');
	default:
	return pht('Unknown Policy');
	}
	}

	private static function getGlobalPolicyShortName($policy) {
	switch ($policy) {
	case PhabricatorPolicies::POLICY_PUBLIC:
	return pht('Public');
	default:
	return null;
	}
	}

	private function loadObjectPolicyPHIDs() {
	$phids = array();
	$viewer = $this->getViewer();

	if ($viewer->getPHID()) {
	$pref_key = PhabricatorPolicyFavoritesSetting::SETTINGKEY;

	$favorite_limit = 10;
	$default_limit = 5;

	// If possible, show the user's 10 most recently used projects.
	$favorites = $viewer->getUserSetting($pref_key);
	if (!is_array($favorites)) {
	$favorites = array();
	}
	$favorite_phids = array_keys($favorites);
	$favorite_phids = array_slice($favorite_phids, -$favorite_limit);

	if ($favorite_phids) {
	$projects = id(new PhabricatorProjectQuery())
	->setViewer($viewer)
	->withPHIDs($favorite_phids)
	->withIsMilestone(false)
	->setLimit($favorite_limit)
	->execute();
	$projects = mpull($projects, null, 'getPHID');
	} else {
	$projects = array();
	}

	// If we didn't find enough favorites, add some default projects. These
	// are just arbitrary projects that the viewer is a member of, but may
	// be useful on smaller installs and for new users until they can use
	// the control enough time to establish useful favorites.
	if (count($projects) < $default_limit) {
	$default_projects = id(new PhabricatorProjectQuery())
	->setViewer($viewer)
	->withMemberPHIDs(array($viewer->getPHID()))
	->withIsMilestone(false)
	->withStatuses(
	array(
	PhabricatorProjectStatus::STATUS_ACTIVE,
	))
	->setLimit($default_limit)
	->execute();
	$default_projects = mpull($default_projects, null, 'getPHID');
	$projects = $projects + $default_projects;
	$projects = array_slice($projects, 0, $default_limit);
	}

	foreach ($projects as $project) {
	$phids[] = $project->getPHID();
	}

	// Include the "current viewer" policy. This improves consistency, but
	// is also useful for creating private instances of normally-shared object
	// types, like repositories.
	$phids[] = $viewer->getPHID();
	}

	$capabilities = $this->object->getCapabilities();
	foreach ($capabilities as $capability) {
	$policy = $this->object->getPolicy($capability);
	if (!$policy) {
	continue;
	}
	$phids[] = $policy;
	}

	// If this install doesn't have "Public" enabled, don't include it as an
	// option unless the object already has a "Public" policy. In this case we
	// retain the policy but enforce it as though it was "All Users".
	$show_public = PhabricatorEnv::getEnvConfig('policy.allow-public');
	foreach (self::getGlobalPolicies() as $phid => $policy) {
	if ($phid == PhabricatorPolicies::POLICY_PUBLIC) {
	if (!$show_public) {
	continue;
	}
	}
	$phids[] = $phid;
	}

	foreach (self::getObjectPolicies($this->object) as $phid => $policy) {
	$phids[] = $phid;
	}

	return $phids;
	}

	protected function shouldDisablePolicyFiltering() {
	// Policy filtering of policies is currently perilous and not required by
	// the application.
	return true;
	}

	public function getQueryApplicationClass() {
	return 'PhabricatorPolicyApplication';
	}

	public static function isSpecialPolicy($identifier) {
	if (self::isObjectPolicy($identifier)) {
	return true;
	}

	if (self::isGlobalPolicy($identifier)) {
	return true;
	}

	return false;
	}


	/* -( Object Policies )---------------------------------------------------- */


	public static function isObjectPolicy($identifier) {
	$prefix = self::OBJECT_POLICY_PREFIX;
	return !strncmp($identifier, $prefix, strlen($prefix));
	}

	public static function getObjectPolicy($identifier) {
	if (!self::isObjectPolicy($identifier)) {
	return null;
	}

	$policies = self::getObjectPolicies(null);
	return idx($policies, $identifier);
	}

	public static function getObjectPolicyRule($identifier) {
	if (!self::isObjectPolicy($identifier)) {
	return null;
	}

	$rules = self::getObjectPolicyRules(null);
	return idx($rules, $identifier);
	}

	public static function getObjectPolicies($object) {
	$rule_map = self::getObjectPolicyRules($object);

	$results = array();
	foreach ($rule_map as $key => $rule) {
	$results[$key] = id(new PhabricatorPolicy())
	->setType(PhabricatorPolicyType::TYPE_OBJECT)
	->setPHID($key)
	->setIcon($rule->getObjectPolicyIcon())
	->setName($rule->getObjectPolicyName())
	->setShortName($rule->getObjectPolicyShortName())
	->makeEphemeral();
	}

	return $results;
	}

	public static function getObjectPolicyRules($object) {
	$rules = id(new PhutilClassMapQuery())
	->setAncestorClass('PhabricatorPolicyRule')
	->execute();

	$results = array();
	foreach ($rules as $rule) {
	$key = $rule->getObjectPolicyKey();
	if (!$key) {
	continue;
	}

	$full_key = $rule->getObjectPolicyFullKey();
	if (isset($results[$full_key])) {
	throw new Exception(
	pht(
	'Two policy rules (of classes "%s" and "%s") define the same '.
	'object policy key ("%s"), but each object policy rule must use '.
	'a unique key.',
	get_class($rule),
	get_class($results[$full_key]),
	$key));
	}

	$results[$full_key] = $rule;
	}

	if ($object !== null) {
	foreach ($results as $key => $rule) {
	if (!$rule->canApplyToObject($object)) {
	unset($results[$key]);
	}
	}
	}

	return $results;
	}

	public static function getDefaultPolicyForObject(
	PhabricatorUser $viewer,
	PhabricatorPolicyInterface $object,
	$capability) {

	$phid = $object->getPHID();
	if (!$phid) {
	return null;
	}

	$type = phid_get_type($phid);

	$map = self::getDefaultObjectTypePolicyMap();

	if (empty($map[$type][$capability])) {
	return null;
	}

	$policy_phid = $map[$type][$capability];

	return id(new PhabricatorPolicyQuery())
	->setViewer($viewer)
	->withPHIDs(array($policy_phid))
	->executeOne();
	}

	private static function getDefaultObjectTypePolicyMap() {
	static $map;

	if ($map === null) {
	$map = array();

	$apps = PhabricatorApplication::getAllApplications();
	foreach ($apps as $app) {
	$map += $app->getDefaultObjectTypePolicyMap();
	}
	}

	return $map;
	}


	}
	diff --git a/src/applications/policy/storage/PhabricatorPolicy.php b/src/applications/policy/storage/PhabricatorPolicy.php
	index 3d6b4ca609..834ca7a798 100644
	--- a/src/applications/policy/storage/PhabricatorPolicy.php
	+++ b/src/applications/policy/storage/PhabricatorPolicy.php
	@@ -1,517 +1,504 @@
	<?php

	final class PhabricatorPolicy
	extends PhabricatorPolicyDAO
	implements
	PhabricatorPolicyInterface,
	PhabricatorDestructibleInterface {

	const ACTION_ALLOW = 'allow';
	const ACTION_DENY = 'deny';

	private $name;
	private $shortName;
	private $type;
	private $href;
	private $workflow;
	private $icon;

	protected $rules = array();
	protected $defaultAction = self::ACTION_DENY;

	private $ruleObjects = self::ATTACHABLE;

	protected function getConfiguration() {
	return array(
	self::CONFIG_AUX_PHID => true,
	self::CONFIG_SERIALIZATION => array(
	'rules' => self::SERIALIZATION_JSON,
	),
	self::CONFIG_COLUMN_SCHEMA => array(
	'defaultAction' => 'text32',
	),
	self::CONFIG_KEY_SCHEMA => array(
	'key_phid' => null,
	'phid' => array(
	'columns' => array('phid'),
	'unique' => true,
	),
	),
	) + parent::getConfiguration();
	}

	public function generatePHID() {
	return PhabricatorPHID::generateNewPHID(
	PhabricatorPolicyPHIDTypePolicy::TYPECONST);
	}

	public static function newFromPolicyAndHandle(
	$policy_identifier,
	PhabricatorObjectHandle $handle = null) {

	$is_global = PhabricatorPolicyQuery::isGlobalPolicy($policy_identifier);
	if ($is_global) {
	return PhabricatorPolicyQuery::getGlobalPolicy($policy_identifier);
	}

	$policy = PhabricatorPolicyQuery::getObjectPolicy($policy_identifier);
	if ($policy) {
	return $policy;
	}

	if (!$handle) {
	throw new Exception(
	pht(
	"Policy identifier is an object PHID ('%s'), but no object handle ".
	"was provided. A handle must be provided for object policies.",
	$policy_identifier));
	}

	$handle_phid = $handle->getPHID();
	if ($policy_identifier != $handle_phid) {
	throw new Exception(
	pht(
	"Policy identifier is an object PHID ('%s'), but the provided ".
	"handle has a different PHID ('%s'). The handle must correspond ".
	"to the policy identifier.",
	$policy_identifier,
	$handle_phid));
	}

	$policy = id(new PhabricatorPolicy())
	->setPHID($policy_identifier)
	->setHref($handle->getURI());

	$phid_type = phid_get_type($policy_identifier);
	switch ($phid_type) {
	case PhabricatorProjectProjectPHIDType::TYPECONST:
	$policy
	->setType(PhabricatorPolicyType::TYPE_PROJECT)
	->setName($handle->getName())
	->setIcon($handle->getIcon());
	break;
	case PhabricatorPeopleUserPHIDType::TYPECONST:
	$policy->setType(PhabricatorPolicyType::TYPE_USER);
	$policy->setName($handle->getFullName());
	break;
	case PhabricatorPolicyPHIDTypePolicy::TYPECONST:
	// TODO: This creates a weird handle-based version of a rule policy.
	// It behaves correctly, but can't be applied since it doesn't have
	// any rules. It is used to render transactions, and might need some
	// cleanup.
	break;
	default:
	$policy->setType(PhabricatorPolicyType::TYPE_MASKED);
	$policy->setName($handle->getFullName());
	break;
	}

	$policy->makeEphemeral();

	return $policy;
	}

	public function setType($type) {
	$this->type = $type;
	return $this;
	}

	public function getType() {
	if (!$this->type) {
	return PhabricatorPolicyType::TYPE_CUSTOM;
	}
	return $this->type;
	}

	public function setName($name) {
	$this->name = $name;
	return $this;
	}

	public function getName() {
	if (!$this->name) {
	return pht('Custom Policy');
	}
	return $this->name;
	}

	public function setShortName($short_name) {
	$this->shortName = $short_name;
	return $this;
	}

	public function getShortName() {
	if ($this->shortName) {
	return $this->shortName;
	}
	return $this->getName();
	}

	public function setHref($href) {
	$this->href = $href;
	return $this;
	}

	public function getHref() {
	return $this->href;
	}

	public function setWorkflow($workflow) {
	$this->workflow = $workflow;
	return $this;
	}

	public function getWorkflow() {
	return $this->workflow;
	}

	public function setIcon($icon) {
	$this->icon = $icon;
	return $this;
	}

	public function getIcon() {
	if ($this->icon) {
	return $this->icon;
	}

	switch ($this->getType()) {
	case PhabricatorPolicyType::TYPE_GLOBAL:
	static $map = array(
	PhabricatorPolicies::POLICY_PUBLIC => 'fa-globe',
	PhabricatorPolicies::POLICY_USER => 'fa-users',
	PhabricatorPolicies::POLICY_ADMIN => 'fa-eye',
	PhabricatorPolicies::POLICY_NOONE => 'fa-ban',
	);
	return idx($map, $this->getPHID(), 'fa-question-circle');
	case PhabricatorPolicyType::TYPE_USER:
	return 'fa-user';
	case PhabricatorPolicyType::TYPE_PROJECT:
	return 'fa-briefcase';
	case PhabricatorPolicyType::TYPE_CUSTOM:
	case PhabricatorPolicyType::TYPE_MASKED:
	return 'fa-certificate';
	default:
	return 'fa-question-circle';
	}
	}

	public function getSortKey() {
	return sprintf(
	'%02d%s',
	PhabricatorPolicyType::getPolicyTypeOrder($this->getType()),
	$this->getSortName());
	}

	private function getSortName() {
	if ($this->getType() == PhabricatorPolicyType::TYPE_GLOBAL) {
	static $map = array(
	PhabricatorPolicies::POLICY_PUBLIC => 0,
	PhabricatorPolicies::POLICY_USER => 1,
	PhabricatorPolicies::POLICY_ADMIN => 2,
	PhabricatorPolicies::POLICY_NOONE => 3,
	);
	return idx($map, $this->getPHID());
	}
	return $this->getName();
	}

	public static function getPolicyExplanation(
	PhabricatorUser $viewer,
	$policy) {

	$rule = PhabricatorPolicyQuery::getObjectPolicyRule($policy);
	if ($rule) {
	return $rule->getPolicyExplanation();
	}

	switch ($policy) {
	case PhabricatorPolicies::POLICY_PUBLIC:
	return pht(
	'This object is public and can be viewed by anyone, even if they '.
	'do not have a Phabricator account.');
	case PhabricatorPolicies::POLICY_USER:
	return pht('Logged in users can take this action.');
	case PhabricatorPolicies::POLICY_ADMIN:
	return pht('Administrators can take this action.');
	case PhabricatorPolicies::POLICY_NOONE:
	return pht('By default, no one can take this action.');
	default:
	$handle = id(new PhabricatorHandleQuery())
	->setViewer($viewer)
	->withPHIDs(array($policy))
	->executeOne();

	$type = phid_get_type($policy);
	if ($type == PhabricatorProjectProjectPHIDType::TYPECONST) {
	return pht(
	'Members of the project "%s" can take this action.',
	$handle->getFullName());
	} else if ($type == PhabricatorPeopleUserPHIDType::TYPECONST) {
	return pht(
	'%s can take this action.',
	$handle->getFullName());
	} else if ($type == PhabricatorPolicyPHIDTypePolicy::TYPECONST) {
	return pht(
	'This object has a custom policy controlling who can take this '.
	'action.');
	} else {
	return pht(
	'This object has an unknown or invalid policy setting ("%s").',
	$policy);
	}
	}
	}

	public function getFullName() {
	switch ($this->getType()) {
	case PhabricatorPolicyType::TYPE_PROJECT:
	return pht('Members of Project: %s', $this->getName());
	case PhabricatorPolicyType::TYPE_MASKED:
	return pht('Other: %s', $this->getName());
	case PhabricatorPolicyType::TYPE_USER:
	return pht('Only User: %s', $this->getName());
	default:
	return $this->getName();
	}
	}

	- public function renderDescription($icon = false) {
	- $img = null;
	- if ($icon) {
	- $img = id(new PHUIIconView())
	- ->setIcon($this->getIcon());
	- }
	-
	+ public function renderDescription() {
	if ($this->getHref()) {
	$desc = javelin_tag(
	'a',
	array(
	'href' => $this->getHref(),
	'class' => 'policy-link',
	'sigil' => $this->getWorkflow() ? 'workflow' : null,
	),
	- array(
	- $img,
	- $this->getName(),
	- ));
	+ $this->getName());
	} else {
	- if ($img) {
	- $desc = array($img, $this->getName());
	- } else {
	- $desc = $this->getName();
	- }
	+ $desc = $this->getName();
	}

	switch ($this->getType()) {
	case PhabricatorPolicyType::TYPE_PROJECT:
	return pht('%s (Project)', $desc);
	case PhabricatorPolicyType::TYPE_CUSTOM:
	return $desc;
	case PhabricatorPolicyType::TYPE_MASKED:
	return pht(
	'%s (You do not have permission to view policy details.)',
	$desc);
	default:
	return $desc;
	}
	}

	/**
	* Return a list of custom rule classes (concrete subclasses of
	* @{class:PhabricatorPolicyRule}) this policy uses.
	*
	* @return list<string> List of class names.
	*/
	public function getCustomRuleClasses() {
	$classes = array();

	foreach ($this->getRules() as $rule) {
	if (!is_array($rule)) {
	// This rule is invalid. We'll reject it later, but don't need to
	// extract anything from it for now.
	continue;
	}

	$class = idx($rule, 'rule');
	try {
	if (class_exists($class)) {
	$classes[$class] = $class;
	}
	} catch (Exception $ex) {
	continue;
	}
	}

	return array_keys($classes);
	}

	/**
	* Return a list of all values used by a given rule class to implement this
	* policy. This is used to bulk load data (like project memberships) in order
	* to apply policy filters efficiently.
	*
	* @param string Policy rule classname.
	* @return list<wild> List of values used in this policy.
	*/
	public function getCustomRuleValues($rule_class) {
	$values = array();
	foreach ($this->getRules() as $rule) {
	if ($rule['rule'] == $rule_class) {
	$values[] = $rule['value'];
	}
	}
	return $values;
	}

	public function attachRuleObjects(array $objects) {
	$this->ruleObjects = $objects;
	return $this;
	}

	public function getRuleObjects() {
	return $this->assertAttached($this->ruleObjects);
	}


	/**
	* Return `true` if this policy is stronger (more restrictive) than some
	* other policy.
	*
	* Because policies are complicated, determining which policies are
	* "stronger" is not trivial. This method uses a very coarse working
	* definition of policy strength which is cheap to compute, unambiguous,
	* and intuitive in the common cases.
	*
	* This method returns `true` if the //class// of this policy is stronger
	* than the other policy, even if the policies are (or might be) the same in
	* practice. For example, "Members of Project X" is considered a stronger
	* policy than "All Users", even though "Project X" might (in some rare
	* cases) contain every user.
	*
	* Generally, the ordering here is:
	*
	* - Public
	* - All Users
	* - (Everything Else)
	* - No One
	*
	* In the "everything else" bucket, we can't make any broad claims about
	* which policy is stronger (and we especially can't make those claims
	* cheaply).
	*
	* Even if we fully evaluated each policy, the two policies might be
	* "Members of X" and "Members of Y", each of which permits access to some
	* set of unique users. In this case, neither is strictly stronger than
	* the other.
	*
	* @param PhabricatorPolicy Other policy.
	* @return bool `true` if this policy is more restrictive than the other
	* policy.
	*/
	public function isStrongerThan(PhabricatorPolicy $other) {
	$this_policy = $this->getPHID();
	$other_policy = $other->getPHID();

	$strengths = array(
	PhabricatorPolicies::POLICY_PUBLIC => -2,
	PhabricatorPolicies::POLICY_USER => -1,
	// (Default policies have strength 0.)
	PhabricatorPolicies::POLICY_NOONE => 1,
	);

	$this_strength = idx($strengths, $this->getPHID(), 0);
	$other_strength = idx($strengths, $other->getPHID(), 0);

	return ($this_strength > $other_strength);
	}

	public function isValidPolicyForEdit() {
	return $this->getType() !== PhabricatorPolicyType::TYPE_MASKED;
	}

	public static function getSpecialRules(
	PhabricatorPolicyInterface $object,
	PhabricatorUser $viewer,
	$capability,
	$active_only) {

	$exceptions = array();
	if ($object instanceof PhabricatorPolicyCodexInterface) {
	$codex = id(PhabricatorPolicyCodex::newFromObject($object, $viewer))
	->setCapability($capability);
	$rules = $codex->getPolicySpecialRuleDescriptions();

	foreach ($rules as $rule) {
	$is_active = $rule->getIsActive();
	if ($is_active) {
	$rule_capabilities = $rule->getCapabilities();
	if ($rule_capabilities) {
	if (!in_array($capability, $rule_capabilities)) {
	$is_active = false;
	}
	}
	}

	if (!$is_active && $active_only) {
	continue;
	}

	$description = $rule->getDescription();

	if (!$is_active) {
	$description = phutil_tag(
	'span',
	array(
	'class' => 'phui-policy-section-view-inactive-rule',
	),
	$description);
	}

	$exceptions[] = $description;
	}
	}

	if (!$exceptions) {
	if (method_exists($object, 'describeAutomaticCapability')) {
	$exceptions = (array)$object->describeAutomaticCapability($capability);
	$exceptions = array_filter($exceptions);
	}
	}

	return $exceptions;
	}


	/* -( PhabricatorPolicyInterface )----------------------------------------- */


	public function getCapabilities() {
	return array(
	PhabricatorPolicyCapability::CAN_VIEW,
	);
	}

	public function getPolicy($capability) {
	// NOTE: We implement policies only so we can comply with the interface.
	// The actual query skips them, as enforcing policies on policies seems
	// perilous and isn't currently required by the application.
	return PhabricatorPolicies::POLICY_PUBLIC;
	}

	public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {
	return false;
	}


	/* -( PhabricatorDestructibleInterface )----------------------------------- */


	public function destroyObjectPermanently(
	PhabricatorDestructionEngine $engine) {

	$this->delete();
	}


	}

File Metadata

Mime Type: text/x-diff
Expires: Sun, Jul 27, 2:28 PM (1 w, 9 h ago)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 184426
Default Alt Text: (37 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions