public function applyRule(PhabricatorUser $viewer, $value, PhabricatorPolicyInterface $object)
{
$viewer_phid = $viewer->getPHID();
if (!$viewer_phid) {
return false;
}
$memberships = idx($this->memberships, $viewer_phid);
return isset($memberships[$object->getPHID()]);
}
public function applyRule(PhabricatorUser $viewer, $value, PhabricatorPolicyInterface $object)
{
$viewer_phid = $viewer->getPHID();
if (!$viewer_phid) {
return false;
}
if ($object->isAutomaticallySubscribed($viewer_phid)) {
return true;
}
$subscribed = idx($this->subscribed, $viewer_phid);
return isset($subscribed[$object->getPHID()]);
}
private function renderAccessDenied(PhabricatorPolicyInterface $object)
{
// NOTE: Not every type of policy object has a real PHID; just load an
// empty handle if a real PHID isn't available.
$phid = nonempty($object->getPHID(), PhabricatorPHIDConstants::PHID_VOID);
$handle = id(new PhabricatorHandleQuery())->setViewer($this->viewer)->withPHIDs(array($phid))->executeOne();
$object_name = $handle->getObjectName();
$is_serious = PhabricatorEnv::getEnvConfig('phabricator.serious-business');
if ($is_serious) {
$access_denied = pht('Access Denied: %s', $object_name);
} else {
$access_denied = pht('You Shall Not Pass: %s', $object_name);
}
return $access_denied;
}
protected function didRejectResult(PhabricatorPolicyInterface $object)
{
// Some objects (like commits) may be rejected because related objects
// (like repositories) can not be loaded. In some cases, we may need these
// related objects to determine the object policy, so it's expected that
// we may occasionally be unable to determine the policy.
try {
$policy = $object->getPolicy(PhabricatorPolicyCapability::CAN_VIEW);
} catch (Exception $ex) {
$policy = null;
}
// Mark this object as filtered so handles can render "Restricted" instead
// of "Unknown".
$phid = $object->getPHID();
$this->addPolicyFilteredPHIDs(array($phid => $phid));
$this->getPolicyFilter()->rejectObject($object, $policy, PhabricatorPolicyCapability::CAN_VIEW);
}
public function rejectObject(PhabricatorPolicyInterface $object, $policy, $capability)
{
if (!$this->raisePolicyExceptions) {
return;
}
if ($this->viewer->isOmnipotent()) {
// Never raise policy exceptions for the omnipotent viewer. Although we
// will never normally issue a policy rejection for the omnipotent
// viewer, we can end up here when queries blanket reject objects that
// have failed to load, without distinguishing between nonexistent and
// nonvisible objects.
return;
}
$capobj = PhabricatorPolicyCapability::getCapabilityByKey($capability);
$rejection = null;
if ($capobj) {
$rejection = $capobj->describeCapabilityRejection();
$capability_name = $capobj->getCapabilityName();
} else {
$capability_name = $capability;
}
if (!$rejection) {
// We couldn't find the capability object, or it doesn't provide a
// tailored rejection string.
$rejection = pht('You do not have the required capability ("%s") to do whatever you ' . 'are trying to do.', $capability);
}
$more = PhabricatorPolicy::getPolicyExplanation($this->viewer, $policy);
$exceptions = $object->describeAutomaticCapability($capability);
$details = array_filter(array_merge(array($more), (array) $exceptions));
// NOTE: Not every type of policy object has a real PHID; just load an
// empty handle if a real PHID isn't available.
$phid = nonempty($object->getPHID(), PhabricatorPHIDConstants::PHID_VOID);
$handle = id(new PhabricatorHandleQuery())->setViewer($this->viewer)->withPHIDs(array($phid))->executeOne();
$object_name = pht('%s %s', $handle->getTypeName(), $handle->getObjectName());
$is_serious = PhabricatorEnv::getEnvConfig('phabricator.serious-business');
if ($is_serious) {
$title = pht('Access Denied: %s', $object_name);
} else {
$title = pht('You Shall Not Pass: %s', $object_name);
}
$full_message = pht('[%s] (%s) %s // %s', $title, $capability_name, $rejection, implode(' ', $details));
$exception = id(new PhabricatorPolicyException($full_message))->setTitle($title)->setRejection($rejection)->setCapabilityName($capability_name)->setMoreInfo($details);
throw $exception;
}
public static function getDefaultPolicyForObject(PhabricatorUser $viewer, PhabricatorPolicyInterface $object, $capability)
{
$phid = $object->getPHID();
if (!$phid) {
return null;
}
$type = phid_get_type($phid);
$map = self::getDefaultObjectTypePolicyMap();
if (empty($map[$type][$capability])) {
return null;
}
$policy_phid = $map[$type][$capability];
return id(new PhabricatorPolicyQuery())->setViewer($viewer)->withPHIDs(array($policy_phid))->executeOne();
}
