public static function loadPolicies(PhabricatorUser $viewer, PhabricatorPolicyInterface $object) { $results = array(); $map = array(); foreach ($object->getCapabilities() as $capability) { $map[$capability] = $object->getPolicy($capability); } $policies = id(new PhabricatorPolicyQuery())->setViewer($viewer)->withPHIDs($map)->execute(); foreach ($map as $capability => $phid) { $results[$capability] = $policies[$phid]; } return $results; }
public static function renderPolicyDescriptions(PhabricatorUser $viewer, PhabricatorPolicyInterface $object) { $results = array(); $policies = null; $global = self::getGlobalPolicies(); $capabilities = $object->getCapabilities(); foreach ($capabilities as $capability) { $policy = $object->getPolicy($capability); if (!$policy) { continue; } if (isset($global[$policy])) { $results[$capability] = $global[$policy]->renderDescription(); continue; } if ($policies === null) { // This slightly overfetches data, but it shouldn't generally // be a problem. $policies = id(new PhabricatorPolicyQuery())->setViewer($viewer)->setObject($object)->execute(); } $results[$capability] = $policies[$policy]->renderDescription(); } return $results; }
private function getObjectPolicy(PhabricatorPolicyInterface $object, $capability) { if ($this->forcedPolicy) { return $this->forcedPolicy; } else { return $object->getPolicy($capability); } }
protected function didRejectResult(PhabricatorPolicyInterface $object) { // Some objects (like commits) may be rejected because related objects // (like repositories) can not be loaded. In some cases, we may need these // related objects to determine the object policy, so it's expected that // we may occasionally be unable to determine the policy. try { $policy = $object->getPolicy(PhabricatorPolicyCapability::CAN_VIEW); } catch (Exception $ex) { $policy = null; } // Mark this object as filtered so handles can render "Restricted" instead // of "Unknown". $phid = $object->getPHID(); $this->addPolicyFilteredPHIDs(array($phid => $phid)); $this->getPolicyFilter()->rejectObject($object, $policy, PhabricatorPolicyCapability::CAN_VIEW); }
private function checkCapability(PhabricatorPolicyInterface $object, $capability) { $policy = $object->getPolicy($capability); if (!$policy) { // TODO: Formalize this somehow? $policy = PhabricatorPolicies::POLICY_USER; } if ($policy == PhabricatorPolicies::POLICY_PUBLIC) { // If the object is set to "public" but that policy is disabled for this // install, restrict the policy to "user". if (!PhabricatorEnv::getEnvConfig('policy.allow-public')) { $policy = PhabricatorPolicies::POLICY_USER; } // If the object is set to "public" but the capability is anything other // than "view", restrict the policy to "user". if ($capability != PhabricatorPolicyCapability::CAN_VIEW) { $policy = PhabricatorPolicies::POLICY_USER; } } $viewer = $this->viewer; if ($object->hasAutomaticCapability($capability, $viewer)) { return true; } switch ($policy) { case PhabricatorPolicies::POLICY_PUBLIC: return true; case PhabricatorPolicies::POLICY_USER: if ($viewer->getPHID()) { return true; } else { $this->rejectObject($object, $policy, $capability); } break; case PhabricatorPolicies::POLICY_ADMIN: if ($viewer->getIsAdmin()) { return true; } else { $this->rejectObject($object, $policy, $capability); } break; case PhabricatorPolicies::POLICY_NOONE: $this->rejectObject($object, $policy, $capability); break; default: throw new Exception("Object has unknown policy '{$policy}'!"); } return false; }