Add Diffusion policy capability "Can Edit and View Identities"
Summary:
Make it possible not to allow anyone to edit Diffusion identities.
Make it possible not to allow anyone to view other users' email addresses.
Closes T15443
Test Plan:
- As an admin, go to /applications/view/PhabricatorDiffusionApplication/ and see new policy "Can Edit and View Identities" set to "All Users" (as implicitly before)
- As an admin, go to /applications/view/PhabricatorDiffusionApplication/ and change "Can Edit and View Identities" from "All Users" to "Administrators"
- As a non-admin, go to /diffusion/identity/ and try to select the disabled "Create Identity" button; get an error message clicking it due to lack of permissions
- Given there is at least one identity defined, as a non-admin, go directly to /diffusion/identity/view/1/ and get "You do not have permission to view this object."
- Given there is at least one identity defined, as a non-admin, go directly to /diffusion/identity/edit/1/ and get "You do not have permission to view this object."
- As a non-admin, go directly to /diffusion/identity/edit/form/default/ and get "You do not have permission to edit this object."
- As a non-admin, go directly to /diffusion/identity/ and get "No Identities found." instead of seeing the existing identities listed.
- As an admin, go to /diffusion/identity/ and still see the existing identities listed.
- As an admin, go to /diffusion/identity/, select "Create Identity" to go to /diffusion/identity/edit/ and see the "Create Identity" page (though broken; see T15453)
- As an admin, go to /diffusion/identity/view/1/ and still see the existing identity.
- As an admin, go to /diffusion/identity/edit/1/ and successfully edit the existing identity.
Reviewers: O1 Blessed Committers, speck, valerio.bozzolan
Reviewed By: O1 Blessed Committers, speck, valerio.bozzolan
Subscribers: speck, tobiaswiese, valerio.bozzolan, Matthew, Cigaryno
Maniphest Tasks: T15443
Differential Revision: https://we.phorge.it/D25450