protected function loadPage() { if ($this->object && $this->phids) { throw new Exception(pht('You can not issue a policy query with both %s and %s.', 'setObject()', 'setPHIDs()')); } else { if ($this->object) { $phids = $this->loadObjectPolicyPHIDs(); } else { $phids = $this->phids; } } $phids = array_fuse($phids); $results = array(); // First, load global policies. foreach (self::getGlobalPolicies() as $phid => $policy) { if (isset($phids[$phid])) { $results[$phid] = $policy; unset($phids[$phid]); } } // Now, load object policies. foreach (self::getObjectPolicies($this->object) as $phid => $policy) { if (isset($phids[$phid])) { $results[$phid] = $policy; unset($phids[$phid]); } } // If we still need policies, we're going to have to fetch data. Bucket // the remaining policies into rule-based policies and handle-based // policies. if ($phids) { $rule_policies = array(); $handle_policies = array(); foreach ($phids as $phid) { $phid_type = phid_get_type($phid); if ($phid_type == PhabricatorPolicyPHIDTypePolicy::TYPECONST) { $rule_policies[$phid] = $phid; } else { $handle_policies[$phid] = $phid; } } if ($handle_policies) { $handles = id(new PhabricatorHandleQuery())->setViewer($this->getViewer())->withPHIDs($handle_policies)->execute(); foreach ($handle_policies as $phid) { $results[$phid] = PhabricatorPolicy::newFromPolicyAndHandle($phid, $handles[$phid]); } } if ($rule_policies) { $rules = id(new PhabricatorPolicy())->loadAllWhere('phid IN (%Ls)', $rule_policies); $results += mpull($rules, null, 'getPHID'); } } $results = msort($results, 'getSortKey'); return $results; }
protected function getOptions() { $capability = $this->capability; $options = array(); foreach ($this->policies as $policy) { if ($policy->getPHID() == PhabricatorPolicies::POLICY_PUBLIC) { // Never expose "Public" for capabilities which don't support it. $capobj = PhabricatorPolicyCapability::getCapabilityByKey($capability); if (!$capobj || !$capobj->shouldAllowPublicPolicySetting()) { continue; } } $policy_short_name = id(new PhutilUTF8StringTruncator())->setMaximumGlyphs(28)->truncateString($policy->getName()); $options[$policy->getType()][$policy->getPHID()] = array('name' => $policy_short_name, 'full' => $policy->getName(), 'icon' => $policy->getIcon()); } // If we were passed several custom policy options, throw away the ones // which aren't the value for this capability. For example, an object might // have a custom view pollicy and a custom edit policy. When we render // the selector for "Can View", we don't want to show the "Can Edit" // custom policy -- if we did, the menu would look like this: // // Custom // Custom Policy // Custom Policy // // ...where one is the "view" custom policy, and one is the "edit" custom // policy. $type_custom = PhabricatorPolicyType::TYPE_CUSTOM; if (!empty($options[$type_custom])) { $options[$type_custom] = array_select_keys($options[$type_custom], array($this->getValue())); } // If there aren't any custom policies, add a placeholder policy so we // render a menu item. This allows the user to switch to a custom policy. if (empty($options[$type_custom])) { $placeholder = new PhabricatorPolicy(); $placeholder->setName(pht('Custom Policy...')); $options[$type_custom][$this->getCustomPolicyPlaceholder()] = array('name' => $placeholder->getName(), 'full' => $placeholder->getName(), 'icon' => $placeholder->getIcon()); } $options = array_select_keys($options, array(PhabricatorPolicyType::TYPE_GLOBAL, PhabricatorPolicyType::TYPE_USER, PhabricatorPolicyType::TYPE_CUSTOM, PhabricatorPolicyType::TYPE_PROJECT)); return $options; }
private function renderPolicyDetails(PhabricatorPolicy $policy, array $rule_objects) { $details = array(); $details[] = phutil_tag('p', array('class' => 'policy-transaction-detail-intro'), pht('These rules are processed in order:')); foreach ($policy->getRules() as $index => $rule) { $rule_object = $rule_objects[$rule['rule']]; if ($rule['action'] == 'allow') { $icon = 'fa-check-circle green'; } else { $icon = 'fa-minus-circle red'; } $icon = id(new PHUIIconView())->setIconFont($icon)->setText(ucfirst($rule['action']) . ' ' . $rule_object->getRuleDescription()); $handle_phids = $rule_object->getRequiredHandlePHIDsForSummary($rule['value']); if ($handle_phids) { $value = $this->renderHandlesForPHIDs($handle_phids, ','); } else { $value = $rule['value']; } $details[] = phutil_tag('div', array('class' => 'policy-transaction-detail-row'), array($icon, $value)); } $details[] = phutil_tag('p', array('class' => 'policy-transaction-detail-end'), pht('If no rules match, %s all other users.', phutil_tag('b', array(), $policy->getDefaultAction()))); return $details; }
private function appendStrengthInformation(AphrontDialogView $dialog, PhabricatorPolicyInterface $object, PhabricatorPolicy $policy, $capability) { $viewer = $this->getViewer(); $default_policy = PhabricatorPolicyQuery::getDefaultPolicyForObject($viewer, $object, $capability); if (!$default_policy) { return; } if ($default_policy->getPHID() == $policy->getPHID()) { return; } if ($default_policy->isStrongerThan($policy)) { $info = pht('This object has a less restrictive policy ("%s") than the default ' . 'policy for similar objects (which is "%s").', $policy->getShortName(), $default_policy->getShortName()); } else { if ($policy->isStrongerThan($default_policy)) { $info = pht('This object has a more restrictive policy ("%s") than the default ' . 'policy for similar objects (which is "%s").', $policy->getShortName(), $default_policy->getShortName()); } else { $info = pht('This object has a different policy ("%s") than the default policy ' . 'for similar objects (which is "%s").', $policy->getShortName(), $default_policy->getShortName()); } } $dialog->appendParagraph($info); }
public function execute(PhutilArgumentParser $args) { $console = PhutilConsole::getConsole(); $viewer = $this->getViewer(); $obj_names = $args->getArg('objects'); if (!$obj_names) { throw new PhutilArgumentUsageException(pht('Specify the name of an object to show policy information for.')); } else { if (count($obj_names) > 1) { throw new PhutilArgumentUsageException(pht('Specify the name of exactly one object to show policy information ' . 'for.')); } } $object = id(new PhabricatorObjectQuery())->setViewer($viewer)->withNames($obj_names)->executeOne(); if (!$object) { $name = head($obj_names); throw new PhutilArgumentUsageException(pht("No such object '%s'!", $name)); } $handle = id(new PhabricatorHandleQuery())->setViewer($viewer)->withPHIDs(array($object->getPHID()))->executeOne(); $policies = PhabricatorPolicyQuery::loadPolicies($viewer, $object); $console->writeOut("__%s__\n\n", pht('OBJECT')); $console->writeOut(" %s\n", $handle->getFullName()); $console->writeOut("\n"); $console->writeOut("__%s__\n\n", pht('CAPABILITIES')); foreach ($policies as $capability => $policy) { $console->writeOut(" **%s**\n", $capability); $console->writeOut(" %s\n", $policy->renderDescription()); $console->writeOut(" %s\n", PhabricatorPolicy::getPolicyExplanation($viewer, $policy->getPHID())); $console->writeOut("\n"); $more = (array) $object->describeAutomaticCapability($capability); if ($more) { foreach ($more as $line) { $console->writeOut(" %s\n", $line); } $console->writeOut("\n"); } } }
public function processRequest() { $request = $this->getRequest(); $viewer = $request->getUser(); $phid = $this->phid; $capability = $this->capability; $object = id(new PhabricatorObjectQuery())->setViewer($viewer)->withPHIDs(array($phid))->executeOne(); if (!$object) { return new Aphront404Response(); } $policies = PhabricatorPolicyQuery::loadPolicies($viewer, $object); $policy = idx($policies, $capability); if (!$policy) { return new Aphront404Response(); } $handle = id(new PhabricatorHandleQuery())->setViewer($viewer)->withPHIDs(array($phid))->executeOne(); $object_uri = nonempty($handle->getURI(), '/'); $explanation = PhabricatorPolicy::getPolicyExplanation($viewer, $policy->getPHID()); $auto_info = (array) $object->describeAutomaticCapability($capability); $auto_info = array_merge(array($explanation), $auto_info); $auto_info = array_filter($auto_info); foreach ($auto_info as $key => $info) { $auto_info[$key] = phutil_tag('li', array(), $info); } if ($auto_info) { $auto_info = phutil_tag('ul', array(), $auto_info); } $capability_name = $capability; $capobj = PhabricatorPolicyCapability::getCapabilityByKey($capability); if ($capobj) { $capability_name = $capobj->getCapabilityName(); } $content = array(pht('Users with the "%s" capability:', $capability_name), $auto_info); $object_name = pht('%s %s', $handle->getTypeName(), $handle->getObjectName()); $dialog = id(new AphrontDialogView())->setUser($viewer)->setClass('aphront-access-dialog')->setTitle(pht('Policy Details: %s', $object_name))->appendChild($content)->addCancelButton($object_uri, pht('Done')); return id(new AphrontDialogResponse())->setDialog($dialog); }
public function rejectObject(PhabricatorPolicyInterface $object, $policy, $capability) { if (!$this->raisePolicyExceptions) { return; } if ($this->viewer->isOmnipotent()) { // Never raise policy exceptions for the omnipotent viewer. Although we // will never normally issue a policy rejection for the omnipotent // viewer, we can end up here when queries blanket reject objects that // have failed to load, without distinguishing between nonexistent and // nonvisible objects. return; } $capobj = PhabricatorPolicyCapability::getCapabilityByKey($capability); $rejection = null; if ($capobj) { $rejection = $capobj->describeCapabilityRejection(); $capability_name = $capobj->getCapabilityName(); } else { $capability_name = $capability; } if (!$rejection) { // We couldn't find the capability object, or it doesn't provide a // tailored rejection string. $rejection = pht('You do not have the required capability ("%s") to do whatever you ' . 'are trying to do.', $capability); } $more = PhabricatorPolicy::getPolicyExplanation($this->viewer, $policy); $exceptions = $object->describeAutomaticCapability($capability); $details = array_filter(array_merge(array($more), (array) $exceptions)); $access_denied = $this->renderAccessDenied($object); $full_message = pht('[%s] (%s) %s // %s', $access_denied, $capability_name, $rejection, implode(' ', $details)); $exception = id(new PhabricatorPolicyException($full_message))->setTitle($access_denied)->setObjectPHID($object->getPHID())->setRejection($rejection)->setCapability($capability)->setCapabilityName($capability_name)->setMoreInfo($details); throw $exception; }
protected function renderPolicyName($phid, $state = 'old') { $policy = PhabricatorPolicy::newFromPolicyAndHandle($phid, $this->getHandleIfExists($phid)); if ($this->renderingTarget == self::TARGET_HTML) { switch ($policy->getType()) { case PhabricatorPolicyType::TYPE_CUSTOM: $policy->setHref('/transactions/' . $state . '/' . $this->getPHID() . '/'); $policy->setWorkflow(true); break; default: break; } $output = $policy->renderDescription(); } else { $output = hsprintf('%s', $policy->getFullName()); } return $output; }
<?php $policies = array('Administrators', 'LegalpadSignature', 'LunarPhase', 'Projects', 'Users'); $map = array(); foreach ($policies as $policy) { $old_name = "PhabricatorPolicyRule{$policy}"; $new_name = "Phabricator{$policy}PolicyRule"; $map[$old_name] = $new_name; } echo pht('Migrating policies...') . "\n"; $table = new PhabricatorPolicy(); $conn_w = $table->establishConnection('w'); foreach (new LiskMigrationIterator($table) as $policy) { $old_rules = $policy->getRules(); $new_rules = array(); foreach ($old_rules as $rule) { $existing_rule = $rule['rule']; $rule['rule'] = idx($map, $existing_rule, $existing_rule); $new_rules[] = $rule; } queryfx($conn_w, 'UPDATE %T SET rules = %s WHERE id = %d', $table->getTableName(), json_encode($new_rules), $policy->getID()); }
/** * Return `true` if this policy is stronger (more restrictive) than some * other policy. * * Because policies are complicated, determining which policies are * "stronger" is not trivial. This method uses a very coarse working * definition of policy strength which is cheap to compute, unambiguous, * and intuitive in the common cases. * * This method returns `true` if the //class// of this policy is stronger * than the other policy, even if the policies are (or might be) the same in * practice. For example, "Members of Project X" is considered a stronger * policy than "All Users", even though "Project X" might (in some rare * cases) contain every user. * * Generally, the ordering here is: * * - Public * - All Users * - (Everything Else) * - No One * * In the "everything else" bucket, we can't make any broad claims about * which policy is stronger (and we especially can't make those claims * cheaply). * * Even if we fully evaluated each policy, the two policies might be * "Members of X" and "Members of Y", each of which permits access to some * set of unique users. In this case, neither is strictly stronger than * the other. * * @param PhabricatorPolicy Other policy. * @return bool `true` if this policy is more restrictive than the other * policy. */ public function isStrongerThan(PhabricatorPolicy $other) { $this_policy = $this->getPHID(); $other_policy = $other->getPHID(); $strengths = array(PhabricatorPolicies::POLICY_PUBLIC => -2, PhabricatorPolicies::POLICY_USER => -1, PhabricatorPolicies::POLICY_NOONE => 1); $this_strength = idx($strengths, $this->getPHID(), 0); $other_strength = idx($strengths, $other->getPHID(), 0); return $this_strength > $other_strength; }
protected function getOptions() { $capability = $this->capability; $policies = $this->policies; // Exclude object policies which don't make sense here. This primarily // filters object policies associated from template capabilities (like // "Default Task View Policy" being set to "Task Author") so they aren't // made available on non-template capabilities (like "Can Bulk Edit"). foreach ($policies as $key => $policy) { if ($policy->getType() != PhabricatorPolicyType::TYPE_OBJECT) { continue; } $rule = PhabricatorPolicyQuery::getObjectPolicyRule($policy->getPHID()); if (!$rule) { continue; } $target = nonempty($this->templateObject, $this->object); if (!$rule->canApplyToObject($target)) { unset($policies[$key]); continue; } } $options = array(); foreach ($policies as $policy) { if ($policy->getPHID() == PhabricatorPolicies::POLICY_PUBLIC) { // Never expose "Public" for capabilities which don't support it. $capobj = PhabricatorPolicyCapability::getCapabilityByKey($capability); if (!$capobj || !$capobj->shouldAllowPublicPolicySetting()) { continue; } } $policy_short_name = id(new PhutilUTF8StringTruncator())->setMaximumGlyphs(28)->truncateString($policy->getName()); $options[$policy->getType()][$policy->getPHID()] = array('name' => $policy_short_name, 'full' => $policy->getName(), 'icon' => $policy->getIcon()); } // If we were passed several custom policy options, throw away the ones // which aren't the value for this capability. For example, an object might // have a custom view pollicy and a custom edit policy. When we render // the selector for "Can View", we don't want to show the "Can Edit" // custom policy -- if we did, the menu would look like this: // // Custom // Custom Policy // Custom Policy // // ...where one is the "view" custom policy, and one is the "edit" custom // policy. $type_custom = PhabricatorPolicyType::TYPE_CUSTOM; if (!empty($options[$type_custom])) { $options[$type_custom] = array_select_keys($options[$type_custom], array($this->getValue())); } // If there aren't any custom policies, add a placeholder policy so we // render a menu item. This allows the user to switch to a custom policy. if (empty($options[$type_custom])) { $placeholder = new PhabricatorPolicy(); $placeholder->setName(pht('Custom Policy...')); $options[$type_custom][$this->getCustomPolicyPlaceholder()] = array('name' => $placeholder->getName(), 'full' => $placeholder->getName(), 'icon' => $placeholder->getIcon()); } $options = array_select_keys($options, array(PhabricatorPolicyType::TYPE_GLOBAL, PhabricatorPolicyType::TYPE_OBJECT, PhabricatorPolicyType::TYPE_USER, PhabricatorPolicyType::TYPE_CUSTOM, PhabricatorPolicyType::TYPE_PROJECT)); return $options; }
public function processRequest() { $request = $this->getRequest(); $viewer = $request->getUser(); $action_options = array(PhabricatorPolicy::ACTION_ALLOW => pht('Allow'), PhabricatorPolicy::ACTION_DENY => pht('Deny')); $rules = id(new PhutilSymbolLoader())->setAncestorClass('PhabricatorPolicyRule')->loadObjects(); $rules = msort($rules, 'getRuleOrder'); $default_rule = array('action' => head_key($action_options), 'rule' => head_key($rules), 'value' => null); if ($this->phid) { $policies = id(new PhabricatorPolicyQuery())->setViewer($viewer)->withPHIDs(array($this->phid))->execute(); if (!$policies) { return new Aphront404Response(); } $policy = head($policies); } else { $policy = id(new PhabricatorPolicy())->setRules(array($default_rule))->setDefaultAction(PhabricatorPolicy::ACTION_DENY); } $root_id = celerity_generate_unique_node_id(); $default_action = $policy->getDefaultAction(); $rule_data = $policy->getRules(); $errors = array(); if ($request->isFormPost()) { $data = $request->getStr('rules'); $data = @json_decode($data, true); if (!is_array($data)) { throw new Exception('Failed to JSON decode rule data!'); } $rule_data = array(); foreach ($data as $rule) { $action = idx($rule, 'action'); switch ($action) { case 'allow': case 'deny': break; default: throw new Exception("Invalid action '{$action}'!"); } $rule_class = idx($rule, 'rule'); if (empty($rules[$rule_class])) { throw new Exception("Invalid rule class '{$rule_class}'!"); } $rule_obj = $rules[$rule_class]; $value = $rule_obj->getValueForStorage(idx($rule, 'value')); $rule_data[] = array('action' => $action, 'rule' => $rule_class, 'value' => $value); } // Filter out nonsense rules, like a "users" rule without any users // actually specified. $valid_rules = array(); foreach ($rule_data as $rule) { $rule_class = $rule['rule']; if ($rules[$rule_class]->ruleHasEffect($rule['value'])) { $valid_rules[] = $rule; } } if (!$valid_rules) { $errors[] = pht('None of these policy rules have any effect.'); } // NOTE: Policies are immutable once created, and we always create a new // policy here. If we didn't, we would need to lock this endpoint down, // as users could otherwise just go edit the policies of objects with // custom policies. if (!$errors) { $new_policy = new PhabricatorPolicy(); $new_policy->setRules($valid_rules); $new_policy->setDefaultAction($request->getStr('default')); $new_policy->save(); $data = array('phid' => $new_policy->getPHID(), 'info' => array('name' => $new_policy->getName(), 'full' => $new_policy->getName(), 'icon' => $new_policy->getIcon())); return id(new AphrontAjaxResponse())->setContent($data); } } // Convert rule values to display format (for example, expanding PHIDs // into tokens). foreach ($rule_data as $key => $rule) { $rule_data[$key]['value'] = $rules[$rule['rule']]->getValueForDisplay($viewer, $rule['value']); } $default_select = AphrontFormSelectControl::renderSelectTag($default_action, $action_options, array('name' => 'default')); if ($errors) { $errors = id(new AphrontErrorView())->setErrors($errors); } $form = id(new PHUIFormLayoutView())->appendChild($errors)->appendChild(javelin_tag('input', array('type' => 'hidden', 'name' => 'rules', 'sigil' => 'rules')))->appendChild(id(new AphrontFormInsetView())->setTitle(pht('Rules'))->setRightButton(javelin_tag('a', array('href' => '#', 'class' => 'button green', 'sigil' => 'create-rule', 'mustcapture' => true), pht('New Rule')))->setDescription(pht('These rules are processed in order.'))->setContent(javelin_tag('table', array('sigil' => 'rules', 'class' => 'policy-rules-table'), '')))->appendChild(id(new AphrontFormMarkupControl())->setLabel(pht('If No Rules Match'))->setValue(pht('%s all other users.', $default_select))); $form = phutil_tag('div', array('id' => $root_id), $form); $rule_options = mpull($rules, 'getRuleDescription'); $type_map = mpull($rules, 'getValueControlType'); $templates = mpull($rules, 'getValueControlTemplate'); require_celerity_resource('policy-edit-css'); Javelin::initBehavior('policy-rule-editor', array('rootID' => $root_id, 'actions' => $action_options, 'rules' => $rule_options, 'types' => $type_map, 'templates' => $templates, 'data' => $rule_data, 'defaultRule' => $default_rule)); $dialog = id(new AphrontDialogView())->setWidth(AphrontDialogView::WIDTH_FULL)->setUser($viewer)->setTitle(pht('Edit Policy'))->appendChild($form)->addSubmitButton(pht('Save Policy'))->addCancelButton('#'); return id(new AphrontDialogResponse())->setDialog($dialog); }
public function rejectObject(PhabricatorPolicyInterface $object, $policy, $capability) { if (!$this->raisePolicyExceptions) { return; } if ($this->viewer->isOmnipotent()) { // Never raise policy exceptions for the omnipotent viewer. Although we // will never normally issue a policy rejection for the omnipotent // viewer, we can end up here when queries blanket reject objects that // have failed to load, without distinguishing between nonexistent and // nonvisible objects. return; } $capobj = PhabricatorPolicyCapability::getCapabilityByKey($capability); $rejection = null; if ($capobj) { $rejection = $capobj->describeCapabilityRejection(); $capability_name = $capobj->getCapabilityName(); } else { $capability_name = $capability; } if (!$rejection) { // We couldn't find the capability object, or it doesn't provide a // tailored rejection string. $rejection = pht('You do not have the required capability ("%s") to do whatever you ' . 'are trying to do.', $capability); } $more = PhabricatorPolicy::getPolicyExplanation($this->viewer, $policy); $exceptions = $object->describeAutomaticCapability($capability); $details = array_filter(array_merge(array($more), (array) $exceptions)); // NOTE: Not every type of policy object has a real PHID; just load an // empty handle if a real PHID isn't available. $phid = nonempty($object->getPHID(), PhabricatorPHIDConstants::PHID_VOID); $handle = id(new PhabricatorHandleQuery())->setViewer($this->viewer)->withPHIDs(array($phid))->executeOne(); $object_name = pht('%s %s', $handle->getTypeName(), $handle->getObjectName()); $is_serious = PhabricatorEnv::getEnvConfig('phabricator.serious-business'); if ($is_serious) { $title = pht('Access Denied: %s', $object_name); } else { $title = pht('You Shall Not Pass: %s', $object_name); } $full_message = pht('[%s] (%s) %s // %s', $title, $capability_name, $rejection, implode(' ', $details)); $exception = id(new PhabricatorPolicyException($full_message))->setTitle($title)->setRejection($rejection)->setCapabilityName($capability_name)->setMoreInfo($details); throw $exception; }
private function buildObjectSection(PhabricatorPolicyInterface $object, PhabricatorPolicy $policy, $capability, PhabricatorObjectHandle $handle) { $viewer = $this->getViewer(); $capability_name = $this->getCapabilityName($capability); $object_section = id(new PHUIPolicySectionView())->setViewer($viewer)->setIcon($handle->getIcon() . ' bluegrey')->setHeader(pht('Object Policy'))->appendList(array(array(phutil_tag('strong', array(), pht('%s:', $capability_name)), ' ', $policy->getShortName())))->appendParagraph(pht('In detail, this means that these users can take this action, ' . 'provided they pass all of the checks described above first:'))->appendList(array(PhabricatorPolicy::getPolicyExplanation($viewer, $policy->getPHID()))); $strength = $this->getStrengthInformation($object, $policy, $capability); if ($strength) { $object_section->appendHint($strength); } return $object_section; }
protected function getOptions() { $capability = $this->capability; $policies = $this->policies; $viewer = $this->getUser(); // Check if we're missing the policy for the current control value. This // is unusual, but can occur if the user is submitting a form and selected // an unusual project as a policy but the change has not been saved yet. $policy_map = mpull($policies, null, 'getPHID'); $value = $this->getValue(); if ($value && empty($policy_map[$value])) { $handle = id(new PhabricatorHandleQuery())->setViewer($viewer)->withPHIDs(array($value))->executeOne(); if ($handle->isComplete()) { $policies[] = PhabricatorPolicy::newFromPolicyAndHandle($value, $handle); } } // Exclude object policies which don't make sense here. This primarily // filters object policies associated from template capabilities (like // "Default Task View Policy" being set to "Task Author") so they aren't // made available on non-template capabilities (like "Can Bulk Edit"). foreach ($policies as $key => $policy) { if ($policy->getType() != PhabricatorPolicyType::TYPE_OBJECT) { continue; } $rule = PhabricatorPolicyQuery::getObjectPolicyRule($policy->getPHID()); if (!$rule) { continue; } $target = nonempty($this->templateObject, $this->object); if (!$rule->canApplyToObject($target)) { unset($policies[$key]); continue; } } $options = array(); foreach ($policies as $policy) { if ($policy->getPHID() == PhabricatorPolicies::POLICY_PUBLIC) { // Never expose "Public" for capabilities which don't support it. $capobj = PhabricatorPolicyCapability::getCapabilityByKey($capability); if (!$capobj || !$capobj->shouldAllowPublicPolicySetting()) { continue; } } $policy_short_name = id(new PhutilUTF8StringTruncator())->setMaximumGlyphs(28)->truncateString($policy->getName()); $options[$policy->getType()][$policy->getPHID()] = array('name' => $policy_short_name, 'full' => $policy->getName(), 'icon' => $policy->getIcon(), 'sort' => phutil_utf8_strtolower($policy->getName())); } $type_project = PhabricatorPolicyType::TYPE_PROJECT; // Make sure we have a "Projects" group before we adjust it. if (empty($options[$type_project])) { $options[$type_project] = array(); } $options[$type_project] = isort($options[$type_project], 'sort'); $placeholder = id(new PhabricatorPolicy())->setName(pht('Other Project...'))->setIcon('fa-search'); $options[$type_project][$this->getSelectProjectKey()] = array('name' => $placeholder->getName(), 'full' => $placeholder->getName(), 'icon' => $placeholder->getIcon()); // If we were passed several custom policy options, throw away the ones // which aren't the value for this capability. For example, an object might // have a custom view policy and a custom edit policy. When we render // the selector for "Can View", we don't want to show the "Can Edit" // custom policy -- if we did, the menu would look like this: // // Custom // Custom Policy // Custom Policy // // ...where one is the "view" custom policy, and one is the "edit" custom // policy. $type_custom = PhabricatorPolicyType::TYPE_CUSTOM; if (!empty($options[$type_custom])) { $options[$type_custom] = array_select_keys($options[$type_custom], array($this->getValue())); } // If there aren't any custom policies, add a placeholder policy so we // render a menu item. This allows the user to switch to a custom policy. if (empty($options[$type_custom])) { $placeholder = new PhabricatorPolicy(); $placeholder->setName(pht('Custom Policy...')); $options[$type_custom][$this->getSelectCustomKey()] = array('name' => $placeholder->getName(), 'full' => $placeholder->getName(), 'icon' => $placeholder->getIcon()); } $options = array_select_keys($options, array(PhabricatorPolicyType::TYPE_GLOBAL, PhabricatorPolicyType::TYPE_OBJECT, PhabricatorPolicyType::TYPE_USER, PhabricatorPolicyType::TYPE_CUSTOM, PhabricatorPolicyType::TYPE_PROJECT)); return $options; }