public static function loadPolicies(PhabricatorUser $viewer, PhabricatorPolicyInterface $object)
{
$results = array();
$map = array();
foreach ($object->getCapabilities() as $capability) {
$map[$capability] = $object->getPolicy($capability);
}
$policies = id(new PhabricatorPolicyQuery())->setViewer($viewer)->withPHIDs($map)->execute();
foreach ($map as $capability => $phid) {
$results[$capability] = $policies[$phid];
}
return $results;
}
public static function renderPolicyDescriptions(PhabricatorUser $viewer, PhabricatorPolicyInterface $object)
{
$results = array();
$policies = null;
$global = self::getGlobalPolicies();
$capabilities = $object->getCapabilities();
foreach ($capabilities as $capability) {
$policy = $object->getPolicy($capability);
if (!$policy) {
continue;
}
if (isset($global[$policy])) {
$results[$capability] = $global[$policy]->renderDescription();
continue;
}
if ($policies === null) {
// This slightly overfetches data, but it shouldn't generally
// be a problem.
$policies = id(new PhabricatorPolicyQuery())->setViewer($viewer)->setObject($object)->execute();
}
$results[$capability] = $policies[$policy]->renderDescription();
}
return $results;
}
private function getObjectPolicy(PhabricatorPolicyInterface $object, $capability)
{
if ($this->forcedPolicy) {
return $this->forcedPolicy;
} else {
return $object->getPolicy($capability);
}
}
protected function didRejectResult(PhabricatorPolicyInterface $object)
{
// Some objects (like commits) may be rejected because related objects
// (like repositories) can not be loaded. In some cases, we may need these
// related objects to determine the object policy, so it's expected that
// we may occasionally be unable to determine the policy.
try {
$policy = $object->getPolicy(PhabricatorPolicyCapability::CAN_VIEW);
} catch (Exception $ex) {
$policy = null;
}
// Mark this object as filtered so handles can render "Restricted" instead
// of "Unknown".
$phid = $object->getPHID();
$this->addPolicyFilteredPHIDs(array($phid => $phid));
$this->getPolicyFilter()->rejectObject($object, $policy, PhabricatorPolicyCapability::CAN_VIEW);
}
private function checkCapability(PhabricatorPolicyInterface $object, $capability)
{
$policy = $object->getPolicy($capability);
if (!$policy) {
// TODO: Formalize this somehow?
$policy = PhabricatorPolicies::POLICY_USER;
}
if ($policy == PhabricatorPolicies::POLICY_PUBLIC) {
// If the object is set to "public" but that policy is disabled for this
// install, restrict the policy to "user".
if (!PhabricatorEnv::getEnvConfig('policy.allow-public')) {
$policy = PhabricatorPolicies::POLICY_USER;
}
// If the object is set to "public" but the capability is anything other
// than "view", restrict the policy to "user".
if ($capability != PhabricatorPolicyCapability::CAN_VIEW) {
$policy = PhabricatorPolicies::POLICY_USER;
}
}
$viewer = $this->viewer;
if ($object->hasAutomaticCapability($capability, $viewer)) {
return true;
}
switch ($policy) {
case PhabricatorPolicies::POLICY_PUBLIC:
return true;
case PhabricatorPolicies::POLICY_USER:
if ($viewer->getPHID()) {
return true;
} else {
$this->rejectObject($object, $policy, $capability);
}
break;
case PhabricatorPolicies::POLICY_ADMIN:
if ($viewer->getIsAdmin()) {
return true;
} else {
$this->rejectObject($object, $policy, $capability);
}
break;
case PhabricatorPolicies::POLICY_NOONE:
$this->rejectObject($object, $policy, $capability);
break;
default:
throw new Exception("Object has unknown policy '{$policy}'!");
}
return false;
}
