private function appendSpaceInformation(AphrontDialogView $dialog, PhabricatorPolicyInterface $object, PhabricatorPolicy $policy, $capability) { $viewer = $this->getViewer(); if (!$object instanceof PhabricatorSpacesInterface) { return; } if (!PhabricatorSpacesNamespaceQuery::getSpacesExist($viewer)) { return; } // NOTE: We're intentionally letting users through here, even if they only // have access to one space. The intent is to help users in "space jail" // understand who objects they create are visible to: $space_phid = PhabricatorSpacesNamespaceQuery::getObjectSpacePHID($object); $handles = $viewer->loadHandles(array($space_phid)); $doc_href = PhabricatorEnv::getDoclink('Spaces User Guide'); $dialog->appendParagraph(array(pht('This object is in %s, and can only be seen or edited by users with ' . 'access to view objects in the space.', $handles[$space_phid]->renderLink()), ' ', phutil_tag('strong', array(), phutil_tag('a', array('href' => $doc_href, 'target' => '_blank'), pht('Learn More'))))); $spaces = PhabricatorSpacesNamespaceQuery::getViewerSpaces($viewer); $space = idx($spaces, $space_phid); if (!$space) { return; } $space_policies = PhabricatorPolicyQuery::loadPolicies($viewer, $space); $space_policy = idx($space_policies, PhabricatorPolicyCapability::CAN_VIEW); if (!$space_policy) { return; } $space_explanation = PhabricatorPolicy::getPolicyExplanation($viewer, $space_policy->getPHID()); $items = array(); $items[] = $space_explanation; foreach ($items as $key => $item) { $items[$key] = phutil_tag('li', array(), $item); } $dialog->appendParagraph(pht('Users who can see objects in this space:')); $dialog->appendChild(phutil_tag('ul', array(), $items)); $view_capability = PhabricatorPolicyCapability::CAN_VIEW; if ($capability == $view_capability) { $stronger = $space_policy->isStrongerThan($policy); if ($stronger) { $dialog->appendParagraph(pht('The space this object is in has a more restrictive view ' . 'policy ("%s") than the object does ("%s"), so the space\'s ' . 'view policy is shown as a hint instead of the object policy.', $space_policy->getShortName(), $policy->getShortName())); } } $dialog->appendParagraph(pht('After a user passes space policy checks, they must still pass ' . 'object policy checks.')); }
private function buildSpaceSection(PhabricatorPolicyInterface $object, PhabricatorPolicy $policy, $capability) { $viewer = $this->getViewer(); if (!$object instanceof PhabricatorSpacesInterface) { return null; } if (!PhabricatorSpacesNamespaceQuery::getSpacesExist($viewer)) { return null; } $space_phid = PhabricatorSpacesNamespaceQuery::getObjectSpacePHID($object); $spaces = PhabricatorSpacesNamespaceQuery::getViewerSpaces($viewer); $space = idx($spaces, $space_phid); if (!$space) { return null; } $space_policies = PhabricatorPolicyQuery::loadPolicies($viewer, $space); $space_policy = idx($space_policies, PhabricatorPolicyCapability::CAN_VIEW); if (!$space_policy) { return null; } $doc_href = PhabricatorEnv::getDoclink('Spaces User Guide'); $capability_name = $this->getCapabilityName($capability); $space_section = id(new PHUIPolicySectionView())->setViewer($viewer)->setIcon('fa-th-large bluegrey')->setHeader(pht('Space'))->setDocumentationLink(pht('Spaces Documentation'), $doc_href)->appendList(array(array(phutil_tag('strong', array(), pht('Space:')), ' ', $viewer->renderHandle($space_phid)->setAsTag(true)), array(phutil_tag('strong', array(), pht('%s:', $capability_name)), ' ', $space_policy->getShortName())))->appendParagraph(pht('This object is in %s and can only be seen or edited by users ' . 'with access to view objects in the space.', $viewer->renderHandle($space_phid))); $space_explanation = PhabricatorPolicy::getPolicyExplanation($viewer, $space_policy->getPHID()); $items = array(); $items[] = $space_explanation; $space_section->appendParagraph(pht('Users who can see objects in this space:'))->appendList($items); $view_capability = PhabricatorPolicyCapability::CAN_VIEW; if ($capability == $view_capability) { $stronger = $space_policy->isStrongerThan($policy); if ($stronger) { $space_section->appendHint(pht('The space this object is in has a more restrictive view ' . 'policy ("%s") than the object does ("%s"), so the space\'s ' . 'view policy is shown as a hint instead of the object policy.', $space_policy->getShortName(), $policy->getShortName())); } } $space_section->appendHint(pht('After a user passes space policy checks, they must still pass ' . 'object policy checks.')); return $space_section; }
public function execute(PhutilArgumentParser $args) { $console = PhutilConsole::getConsole(); $viewer = $this->getViewer(); $obj_names = $args->getArg('objects'); if (!$obj_names) { throw new PhutilArgumentUsageException(pht('Specify the name of an object to show policy information for.')); } else { if (count($obj_names) > 1) { throw new PhutilArgumentUsageException(pht('Specify the name of exactly one object to show policy information ' . 'for.')); } } $object = id(new PhabricatorObjectQuery())->setViewer($viewer)->withNames($obj_names)->executeOne(); if (!$object) { $name = head($obj_names); throw new PhutilArgumentUsageException(pht("No such object '%s'!", $name)); } $handle = id(new PhabricatorHandleQuery())->setViewer($viewer)->withPHIDs(array($object->getPHID()))->executeOne(); $policies = PhabricatorPolicyQuery::loadPolicies($viewer, $object); $console->writeOut("__%s__\n\n", pht('OBJECT')); $console->writeOut(" %s\n", $handle->getFullName()); $console->writeOut("\n"); $console->writeOut("__%s__\n\n", pht('CAPABILITIES')); foreach ($policies as $capability => $policy) { $console->writeOut(" **%s**\n", $capability); $console->writeOut(" %s\n", $policy->renderDescription()); $console->writeOut(" %s\n", PhabricatorPolicy::getPolicyExplanation($viewer, $policy->getPHID())); $console->writeOut("\n"); $more = (array) $object->describeAutomaticCapability($capability); if ($more) { foreach ($more as $line) { $console->writeOut(" %s\n", $line); } $console->writeOut("\n"); } } }
public function processRequest() { $request = $this->getRequest(); $viewer = $request->getUser(); $phid = $this->phid; $capability = $this->capability; $object = id(new PhabricatorObjectQuery())->setViewer($viewer)->withPHIDs(array($phid))->executeOne(); if (!$object) { return new Aphront404Response(); } $policies = PhabricatorPolicyQuery::loadPolicies($viewer, $object); $policy = idx($policies, $capability); if (!$policy) { return new Aphront404Response(); } $handle = id(new PhabricatorHandleQuery())->setViewer($viewer)->withPHIDs(array($phid))->executeOne(); $object_uri = nonempty($handle->getURI(), '/'); $explanation = PhabricatorPolicy::getPolicyExplanation($viewer, $policy->getPHID()); $auto_info = (array) $object->describeAutomaticCapability($capability); $auto_info = array_merge(array($explanation), $auto_info); $auto_info = array_filter($auto_info); foreach ($auto_info as $key => $info) { $auto_info[$key] = phutil_tag('li', array(), $info); } if ($auto_info) { $auto_info = phutil_tag('ul', array(), $auto_info); } $capability_name = $capability; $capobj = PhabricatorPolicyCapability::getCapabilityByKey($capability); if ($capobj) { $capability_name = $capobj->getCapabilityName(); } $content = array(pht('Users with the "%s" capability:', $capability_name), $auto_info); $object_name = pht('%s %s', $handle->getTypeName(), $handle->getObjectName()); $dialog = id(new AphrontDialogView())->setUser($viewer)->setClass('aphront-access-dialog')->setTitle(pht('Policy Details: %s', $object_name))->appendChild($content)->addCancelButton($object_uri, pht('Done')); return id(new AphrontDialogResponse())->setDialog($dialog); }
private function renderPolicyProperty(PhabricatorPolicyInterface $object) { $viewer = $this->getUser(); $policies = PhabricatorPolicyQuery::loadPolicies($viewer, $object); $view_capability = PhabricatorPolicyCapability::CAN_VIEW; $policy = idx($policies, $view_capability); if (!$policy) { return null; } // If an object is in a Space with a strictly stronger (more restrictive) // policy, we show the more restrictive policy. This better aligns the // UI hint with the actual behavior. // NOTE: We'll do this even if the viewer has access to only one space, and // show them information about the existence of spaces if they click // through. $use_space_policy = false; if ($object instanceof PhabricatorSpacesInterface) { $space_phid = PhabricatorSpacesNamespaceQuery::getObjectSpacePHID($object); $spaces = PhabricatorSpacesNamespaceQuery::getViewerSpaces($viewer); $space = idx($spaces, $space_phid); if ($space) { $space_policies = PhabricatorPolicyQuery::loadPolicies($viewer, $space); $space_policy = idx($space_policies, $view_capability); if ($space_policy) { if ($space_policy->isStrongerThan($policy)) { $policy = $space_policy; $use_space_policy = true; } } } } $container_classes = array(); $container_classes[] = 'policy-header-callout'; $phid = $object->getPHID(); // If we're going to show the object policy, try to determine if the object // policy differs from the default policy. If it does, we'll call it out // as changed. if (!$use_space_policy) { $default_policy = PhabricatorPolicyQuery::getDefaultPolicyForObject($viewer, $object, $view_capability); if ($default_policy) { if ($default_policy->getPHID() != $policy->getPHID()) { $container_classes[] = 'policy-adjusted'; if ($default_policy->isStrongerThan($policy)) { // The policy has strictly been weakened. For example, the // default might be "All Users" and the current policy is "Public". $container_classes[] = 'policy-adjusted-weaker'; } else { if ($policy->isStrongerThan($default_policy)) { // The policy has strictly been strengthened, and is now more // restrictive than the default. For example, "All Users" has // been replaced with "No One". $container_classes[] = 'policy-adjusted-stronger'; } else { // The policy has been adjusted but not strictly strengthened // or weakened. For example, "Members of X" has been replaced with // "Members of Y". $container_classes[] = 'policy-adjusted-different'; } } } } } $icon = id(new PHUIIconView())->setIcon($policy->getIcon() . ' bluegrey'); $link = javelin_tag('a', array('class' => 'policy-link', 'href' => '/policy/explain/' . $phid . '/' . $view_capability . '/', 'sigil' => 'workflow'), $policy->getShortName()); return phutil_tag('span', array('class' => implode(' ', $container_classes)), array($icon, $link)); }
private function renderPolicyProperty(PhabricatorPolicyInterface $object) { $policies = PhabricatorPolicyQuery::loadPolicies($this->getUser(), $object); $view_capability = PhabricatorPolicyCapability::CAN_VIEW; $policy = idx($policies, $view_capability); if (!$policy) { return null; } $phid = $object->getPHID(); $icon = id(new PHUIIconView())->setIconFont($policy->getIcon() . ' bluegrey'); $link = javelin_tag('a', array('class' => 'policy-link', 'href' => '/policy/explain/' . $phid . '/' . $view_capability . '/', 'sigil' => 'workflow'), $policy->getShortName()); return array($icon, $link); }