public function applyRule(PhabricatorUser $viewer, $value, PhabricatorPolicyInterface $object)
{
$viewer_phid = $viewer->getPHID();
if (!$viewer_phid) {
return false;
}
return $object->getHostPHID() == $viewer_phid;
}
public function applyRule(PhabricatorUser $viewer, $value, PhabricatorPolicyInterface $object)
{
$viewer_phid = $viewer->getPHID();
if (!$viewer_phid) {
return false;
}
return (bool) $object->getParticipantIfExists($viewer_phid);
}
public function applyRule(PhabricatorUser $viewer, $value, PhabricatorPolicyInterface $object)
{
$viewer_phid = $viewer->getPHID();
if (!$viewer_phid) {
return false;
}
$memberships = idx($this->memberships, $viewer_phid);
return isset($memberships[$object->getPHID()]);
}
public function applyRule(PhabricatorUser $viewer, $value, PhabricatorPolicyInterface $object)
{
$viewer_phid = $viewer->getPHID();
if (!$viewer_phid) {
return false;
}
if ($object->isAutomaticallySubscribed($viewer_phid)) {
return true;
}
$subscribed = idx($this->subscribed, $viewer_phid);
return isset($subscribed[$object->getPHID()]);
}
public static function loadPolicies(PhabricatorUser $viewer, PhabricatorPolicyInterface $object)
{
$results = array();
$map = array();
foreach ($object->getCapabilities() as $capability) {
$map[$capability] = $object->getPolicy($capability);
}
$policies = id(new PhabricatorPolicyQuery())->setViewer($viewer)->withPHIDs($map)->execute();
foreach ($map as $capability => $phid) {
$results[$capability] = $policies[$phid];
}
return $results;
}
public static function renderPolicyDescriptions(PhabricatorUser $viewer, PhabricatorPolicyInterface $object)
{
$results = array();
$policies = null;
$global = self::getGlobalPolicies();
$capabilities = $object->getCapabilities();
foreach ($capabilities as $capability) {
$policy = $object->getPolicy($capability);
if (!$policy) {
continue;
}
if (isset($global[$policy])) {
$results[$capability] = $global[$policy]->renderDescription();
continue;
}
if ($policies === null) {
// This slightly overfetches data, but it shouldn't generally
// be a problem.
$policies = id(new PhabricatorPolicyQuery())->setViewer($viewer)->setObject($object)->execute();
}
$results[$capability] = $policies[$policy]->renderDescription();
}
return $results;
}
private function checkCapability(PhabricatorPolicyInterface $object, $capability)
{
$policy = $object->getPolicy($capability);
if (!$policy) {
// TODO: Formalize this somehow?
$policy = PhabricatorPolicies::POLICY_USER;
}
if ($policy == PhabricatorPolicies::POLICY_PUBLIC) {
// If the object is set to "public" but that policy is disabled for this
// install, restrict the policy to "user".
if (!PhabricatorEnv::getEnvConfig('policy.allow-public')) {
$policy = PhabricatorPolicies::POLICY_USER;
}
// If the object is set to "public" but the capability is anything other
// than "view", restrict the policy to "user".
if ($capability != PhabricatorPolicyCapability::CAN_VIEW) {
$policy = PhabricatorPolicies::POLICY_USER;
}
}
$viewer = $this->viewer;
if ($object->hasAutomaticCapability($capability, $viewer)) {
return true;
}
switch ($policy) {
case PhabricatorPolicies::POLICY_PUBLIC:
return true;
case PhabricatorPolicies::POLICY_USER:
if ($viewer->getPHID()) {
return true;
} else {
$this->rejectObject($object, $policy, $capability);
}
break;
case PhabricatorPolicies::POLICY_ADMIN:
if ($viewer->getIsAdmin()) {
return true;
} else {
$this->rejectObject($object, $policy, $capability);
}
break;
case PhabricatorPolicies::POLICY_NOONE:
$this->rejectObject($object, $policy, $capability);
break;
default:
throw new Exception("Object has unknown policy '{$policy}'!");
}
return false;
}
private function renderAccessDenied(PhabricatorPolicyInterface $object)
{
// NOTE: Not every type of policy object has a real PHID; just load an
// empty handle if a real PHID isn't available.
$phid = nonempty($object->getPHID(), PhabricatorPHIDConstants::PHID_VOID);
$handle = id(new PhabricatorHandleQuery())->setViewer($this->viewer)->withPHIDs(array($phid))->executeOne();
$object_name = $handle->getObjectName();
$is_serious = PhabricatorEnv::getEnvConfig('phabricator.serious-business');
if ($is_serious) {
$access_denied = pht('Access Denied: %s', $object_name);
} else {
$access_denied = pht('You Shall Not Pass: %s', $object_name);
}
return $access_denied;
}
protected function didRejectResult(PhabricatorPolicyInterface $object)
{
// Some objects (like commits) may be rejected because related objects
// (like repositories) can not be loaded. In some cases, we may need these
// related objects to determine the object policy, so it's expected that
// we may occasionally be unable to determine the policy.
try {
$policy = $object->getPolicy(PhabricatorPolicyCapability::CAN_VIEW);
} catch (Exception $ex) {
$policy = null;
}
// Mark this object as filtered so handles can render "Restricted" instead
// of "Unknown".
$phid = $object->getPHID();
$this->addPolicyFilteredPHIDs(array($phid => $phid));
$this->getPolicyFilter()->rejectObject($object, $policy, PhabricatorPolicyCapability::CAN_VIEW);
}
private function getObjectPolicy(PhabricatorPolicyInterface $object, $capability)
{
if ($this->forcedPolicy) {
return $this->forcedPolicy;
} else {
return $object->getPolicy($capability);
}
}
public static function getDefaultPolicyForObject(PhabricatorUser $viewer, PhabricatorPolicyInterface $object, $capability)
{
$phid = $object->getPHID();
if (!$phid) {
return null;
}
$type = phid_get_type($phid);
$map = self::getDefaultObjectTypePolicyMap();
if (empty($map[$type][$capability])) {
return null;
}
$policy_phid = $map[$type][$capability];
return id(new PhabricatorPolicyQuery())->setViewer($viewer)->withPHIDs(array($policy_phid))->executeOne();
}
private function buildExtendedSection(PhabricatorPolicyInterface $object, $capability)
{
$viewer = $this->getViewer();
if (!$object instanceof PhabricatorExtendedPolicyInterface) {
return null;
}
$extended_rules = $object->getExtendedPolicy($capability, $viewer);
if (!$extended_rules) {
return null;
}
$items = array();
foreach ($extended_rules as $extended_rule) {
$extended_target = $extended_rule[0];
$extended_capabilities = (array) $extended_rule[1];
if (is_object($extended_target)) {
$extended_target = $extended_target->getPHID();
}
foreach ($extended_capabilities as $extended_capability) {
$ex_name = $this->getCapabilityName($extended_capability);
$items[] = array(phutil_tag('strong', array(), pht('%s:', $ex_name)), ' ', $viewer->renderHandle($extended_target)->setAsTag(true));
}
}
return id(new PHUIPolicySectionView())->setViewer($viewer)->setIcon('fa-link')->setHeader(pht('Required Capabilities on Other Objects'))->appendParagraph(pht('To access this object, users must have first have access ' . 'capabilties on these other objects:'))->appendList($items);
}
