public function applyRule(PhabricatorUser $viewer, $value, PhabricatorPolicyInterface $object) { $viewer_phid = $viewer->getPHID(); if (!$viewer_phid) { return false; } $memberships = idx($this->memberships, $viewer_phid); return isset($memberships[$object->getPHID()]); }
public function applyRule(PhabricatorUser $viewer, $value, PhabricatorPolicyInterface $object) { $viewer_phid = $viewer->getPHID(); if (!$viewer_phid) { return false; } if ($object->isAutomaticallySubscribed($viewer_phid)) { return true; } $subscribed = idx($this->subscribed, $viewer_phid); return isset($subscribed[$object->getPHID()]); }
private function renderAccessDenied(PhabricatorPolicyInterface $object) { // NOTE: Not every type of policy object has a real PHID; just load an // empty handle if a real PHID isn't available. $phid = nonempty($object->getPHID(), PhabricatorPHIDConstants::PHID_VOID); $handle = id(new PhabricatorHandleQuery())->setViewer($this->viewer)->withPHIDs(array($phid))->executeOne(); $object_name = $handle->getObjectName(); $is_serious = PhabricatorEnv::getEnvConfig('phabricator.serious-business'); if ($is_serious) { $access_denied = pht('Access Denied: %s', $object_name); } else { $access_denied = pht('You Shall Not Pass: %s', $object_name); } return $access_denied; }
protected function didRejectResult(PhabricatorPolicyInterface $object) { // Some objects (like commits) may be rejected because related objects // (like repositories) can not be loaded. In some cases, we may need these // related objects to determine the object policy, so it's expected that // we may occasionally be unable to determine the policy. try { $policy = $object->getPolicy(PhabricatorPolicyCapability::CAN_VIEW); } catch (Exception $ex) { $policy = null; } // Mark this object as filtered so handles can render "Restricted" instead // of "Unknown". $phid = $object->getPHID(); $this->addPolicyFilteredPHIDs(array($phid => $phid)); $this->getPolicyFilter()->rejectObject($object, $policy, PhabricatorPolicyCapability::CAN_VIEW); }
public function rejectObject(PhabricatorPolicyInterface $object, $policy, $capability) { if (!$this->raisePolicyExceptions) { return; } if ($this->viewer->isOmnipotent()) { // Never raise policy exceptions for the omnipotent viewer. Although we // will never normally issue a policy rejection for the omnipotent // viewer, we can end up here when queries blanket reject objects that // have failed to load, without distinguishing between nonexistent and // nonvisible objects. return; } $capobj = PhabricatorPolicyCapability::getCapabilityByKey($capability); $rejection = null; if ($capobj) { $rejection = $capobj->describeCapabilityRejection(); $capability_name = $capobj->getCapabilityName(); } else { $capability_name = $capability; } if (!$rejection) { // We couldn't find the capability object, or it doesn't provide a // tailored rejection string. $rejection = pht('You do not have the required capability ("%s") to do whatever you ' . 'are trying to do.', $capability); } $more = PhabricatorPolicy::getPolicyExplanation($this->viewer, $policy); $exceptions = $object->describeAutomaticCapability($capability); $details = array_filter(array_merge(array($more), (array) $exceptions)); // NOTE: Not every type of policy object has a real PHID; just load an // empty handle if a real PHID isn't available. $phid = nonempty($object->getPHID(), PhabricatorPHIDConstants::PHID_VOID); $handle = id(new PhabricatorHandleQuery())->setViewer($this->viewer)->withPHIDs(array($phid))->executeOne(); $object_name = pht('%s %s', $handle->getTypeName(), $handle->getObjectName()); $is_serious = PhabricatorEnv::getEnvConfig('phabricator.serious-business'); if ($is_serious) { $title = pht('Access Denied: %s', $object_name); } else { $title = pht('You Shall Not Pass: %s', $object_name); } $full_message = pht('[%s] (%s) %s // %s', $title, $capability_name, $rejection, implode(' ', $details)); $exception = id(new PhabricatorPolicyException($full_message))->setTitle($title)->setRejection($rejection)->setCapabilityName($capability_name)->setMoreInfo($details); throw $exception; }
public static function getDefaultPolicyForObject(PhabricatorUser $viewer, PhabricatorPolicyInterface $object, $capability) { $phid = $object->getPHID(); if (!$phid) { return null; } $type = phid_get_type($phid); $map = self::getDefaultObjectTypePolicyMap(); if (empty($map[$type][$capability])) { return null; } $policy_phid = $map[$type][$capability]; return id(new PhabricatorPolicyQuery())->setViewer($viewer)->withPHIDs(array($policy_phid))->executeOne(); }