private function appendSpaceInformation(AphrontDialogView $dialog, PhabricatorPolicyInterface $object, PhabricatorPolicy $policy, $capability)
 {
     $viewer = $this->getViewer();
     if (!$object instanceof PhabricatorSpacesInterface) {
         return;
     }
     if (!PhabricatorSpacesNamespaceQuery::getSpacesExist($viewer)) {
         return;
     }
     // NOTE: We're intentionally letting users through here, even if they only
     // have access to one space. The intent is to help users in "space jail"
     // understand who objects they create are visible to:
     $space_phid = PhabricatorSpacesNamespaceQuery::getObjectSpacePHID($object);
     $handles = $viewer->loadHandles(array($space_phid));
     $doc_href = PhabricatorEnv::getDoclink('Spaces User Guide');
     $dialog->appendParagraph(array(pht('This object is in %s, and can only be seen or edited by users with ' . 'access to view objects in the space.', $handles[$space_phid]->renderLink()), ' ', phutil_tag('strong', array(), phutil_tag('a', array('href' => $doc_href, 'target' => '_blank'), pht('Learn More')))));
     $spaces = PhabricatorSpacesNamespaceQuery::getViewerSpaces($viewer);
     $space = idx($spaces, $space_phid);
     if (!$space) {
         return;
     }
     $space_policies = PhabricatorPolicyQuery::loadPolicies($viewer, $space);
     $space_policy = idx($space_policies, PhabricatorPolicyCapability::CAN_VIEW);
     if (!$space_policy) {
         return;
     }
     $space_explanation = PhabricatorPolicy::getPolicyExplanation($viewer, $space_policy->getPHID());
     $items = array();
     $items[] = $space_explanation;
     foreach ($items as $key => $item) {
         $items[$key] = phutil_tag('li', array(), $item);
     }
     $dialog->appendParagraph(pht('Users who can see objects in this space:'));
     $dialog->appendChild(phutil_tag('ul', array(), $items));
     $view_capability = PhabricatorPolicyCapability::CAN_VIEW;
     if ($capability == $view_capability) {
         $stronger = $space_policy->isStrongerThan($policy);
         if ($stronger) {
             $dialog->appendParagraph(pht('The space this object is in has a more restrictive view ' . 'policy ("%s") than the object does ("%s"), so the space\'s ' . 'view policy is shown as a hint instead of the object policy.', $space_policy->getShortName(), $policy->getShortName()));
         }
     }
     $dialog->appendParagraph(pht('After a user passes space policy checks, they must still pass ' . 'object policy checks.'));
 }
 private function buildSpaceSection(PhabricatorPolicyInterface $object, PhabricatorPolicy $policy, $capability)
 {
     $viewer = $this->getViewer();
     if (!$object instanceof PhabricatorSpacesInterface) {
         return null;
     }
     if (!PhabricatorSpacesNamespaceQuery::getSpacesExist($viewer)) {
         return null;
     }
     $space_phid = PhabricatorSpacesNamespaceQuery::getObjectSpacePHID($object);
     $spaces = PhabricatorSpacesNamespaceQuery::getViewerSpaces($viewer);
     $space = idx($spaces, $space_phid);
     if (!$space) {
         return null;
     }
     $space_policies = PhabricatorPolicyQuery::loadPolicies($viewer, $space);
     $space_policy = idx($space_policies, PhabricatorPolicyCapability::CAN_VIEW);
     if (!$space_policy) {
         return null;
     }
     $doc_href = PhabricatorEnv::getDoclink('Spaces User Guide');
     $capability_name = $this->getCapabilityName($capability);
     $space_section = id(new PHUIPolicySectionView())->setViewer($viewer)->setIcon('fa-th-large bluegrey')->setHeader(pht('Space'))->setDocumentationLink(pht('Spaces Documentation'), $doc_href)->appendList(array(array(phutil_tag('strong', array(), pht('Space:')), ' ', $viewer->renderHandle($space_phid)->setAsTag(true)), array(phutil_tag('strong', array(), pht('%s:', $capability_name)), ' ', $space_policy->getShortName())))->appendParagraph(pht('This object is in %s and can only be seen or edited by users ' . 'with access to view objects in the space.', $viewer->renderHandle($space_phid)));
     $space_explanation = PhabricatorPolicy::getPolicyExplanation($viewer, $space_policy->getPHID());
     $items = array();
     $items[] = $space_explanation;
     $space_section->appendParagraph(pht('Users who can see objects in this space:'))->appendList($items);
     $view_capability = PhabricatorPolicyCapability::CAN_VIEW;
     if ($capability == $view_capability) {
         $stronger = $space_policy->isStrongerThan($policy);
         if ($stronger) {
             $space_section->appendHint(pht('The space this object is in has a more restrictive view ' . 'policy ("%s") than the object does ("%s"), so the space\'s ' . 'view policy is shown as a hint instead of the object policy.', $space_policy->getShortName(), $policy->getShortName()));
         }
     }
     $space_section->appendHint(pht('After a user passes space policy checks, they must still pass ' . 'object policy checks.'));
     return $space_section;
 }
 public function execute(PhutilArgumentParser $args)
 {
     $console = PhutilConsole::getConsole();
     $viewer = $this->getViewer();
     $obj_names = $args->getArg('objects');
     if (!$obj_names) {
         throw new PhutilArgumentUsageException(pht('Specify the name of an object to show policy information for.'));
     } else {
         if (count($obj_names) > 1) {
             throw new PhutilArgumentUsageException(pht('Specify the name of exactly one object to show policy information ' . 'for.'));
         }
     }
     $object = id(new PhabricatorObjectQuery())->setViewer($viewer)->withNames($obj_names)->executeOne();
     if (!$object) {
         $name = head($obj_names);
         throw new PhutilArgumentUsageException(pht("No such object '%s'!", $name));
     }
     $handle = id(new PhabricatorHandleQuery())->setViewer($viewer)->withPHIDs(array($object->getPHID()))->executeOne();
     $policies = PhabricatorPolicyQuery::loadPolicies($viewer, $object);
     $console->writeOut("__%s__\n\n", pht('OBJECT'));
     $console->writeOut("  %s\n", $handle->getFullName());
     $console->writeOut("\n");
     $console->writeOut("__%s__\n\n", pht('CAPABILITIES'));
     foreach ($policies as $capability => $policy) {
         $console->writeOut("  **%s**\n", $capability);
         $console->writeOut("    %s\n", $policy->renderDescription());
         $console->writeOut("    %s\n", PhabricatorPolicy::getPolicyExplanation($viewer, $policy->getPHID()));
         $console->writeOut("\n");
         $more = (array) $object->describeAutomaticCapability($capability);
         if ($more) {
             foreach ($more as $line) {
                 $console->writeOut("    %s\n", $line);
             }
             $console->writeOut("\n");
         }
     }
 }
 public function processRequest()
 {
     $request = $this->getRequest();
     $viewer = $request->getUser();
     $phid = $this->phid;
     $capability = $this->capability;
     $object = id(new PhabricatorObjectQuery())->setViewer($viewer)->withPHIDs(array($phid))->executeOne();
     if (!$object) {
         return new Aphront404Response();
     }
     $policies = PhabricatorPolicyQuery::loadPolicies($viewer, $object);
     $policy = idx($policies, $capability);
     if (!$policy) {
         return new Aphront404Response();
     }
     $handle = id(new PhabricatorHandleQuery())->setViewer($viewer)->withPHIDs(array($phid))->executeOne();
     $object_uri = nonempty($handle->getURI(), '/');
     $explanation = PhabricatorPolicy::getPolicyExplanation($viewer, $policy->getPHID());
     $auto_info = (array) $object->describeAutomaticCapability($capability);
     $auto_info = array_merge(array($explanation), $auto_info);
     $auto_info = array_filter($auto_info);
     foreach ($auto_info as $key => $info) {
         $auto_info[$key] = phutil_tag('li', array(), $info);
     }
     if ($auto_info) {
         $auto_info = phutil_tag('ul', array(), $auto_info);
     }
     $capability_name = $capability;
     $capobj = PhabricatorPolicyCapability::getCapabilityByKey($capability);
     if ($capobj) {
         $capability_name = $capobj->getCapabilityName();
     }
     $content = array(pht('Users with the "%s" capability:', $capability_name), $auto_info);
     $object_name = pht('%s %s', $handle->getTypeName(), $handle->getObjectName());
     $dialog = id(new AphrontDialogView())->setUser($viewer)->setClass('aphront-access-dialog')->setTitle(pht('Policy Details: %s', $object_name))->appendChild($content)->addCancelButton($object_uri, pht('Done'));
     return id(new AphrontDialogResponse())->setDialog($dialog);
 }
示例#5
0
 private function renderPolicyProperty(PhabricatorPolicyInterface $object)
 {
     $viewer = $this->getUser();
     $policies = PhabricatorPolicyQuery::loadPolicies($viewer, $object);
     $view_capability = PhabricatorPolicyCapability::CAN_VIEW;
     $policy = idx($policies, $view_capability);
     if (!$policy) {
         return null;
     }
     // If an object is in a Space with a strictly stronger (more restrictive)
     // policy, we show the more restrictive policy. This better aligns the
     // UI hint with the actual behavior.
     // NOTE: We'll do this even if the viewer has access to only one space, and
     // show them information about the existence of spaces if they click
     // through.
     $use_space_policy = false;
     if ($object instanceof PhabricatorSpacesInterface) {
         $space_phid = PhabricatorSpacesNamespaceQuery::getObjectSpacePHID($object);
         $spaces = PhabricatorSpacesNamespaceQuery::getViewerSpaces($viewer);
         $space = idx($spaces, $space_phid);
         if ($space) {
             $space_policies = PhabricatorPolicyQuery::loadPolicies($viewer, $space);
             $space_policy = idx($space_policies, $view_capability);
             if ($space_policy) {
                 if ($space_policy->isStrongerThan($policy)) {
                     $policy = $space_policy;
                     $use_space_policy = true;
                 }
             }
         }
     }
     $container_classes = array();
     $container_classes[] = 'policy-header-callout';
     $phid = $object->getPHID();
     // If we're going to show the object policy, try to determine if the object
     // policy differs from the default policy. If it does, we'll call it out
     // as changed.
     if (!$use_space_policy) {
         $default_policy = PhabricatorPolicyQuery::getDefaultPolicyForObject($viewer, $object, $view_capability);
         if ($default_policy) {
             if ($default_policy->getPHID() != $policy->getPHID()) {
                 $container_classes[] = 'policy-adjusted';
                 if ($default_policy->isStrongerThan($policy)) {
                     // The policy has strictly been weakened. For example, the
                     // default might be "All Users" and the current policy is "Public".
                     $container_classes[] = 'policy-adjusted-weaker';
                 } else {
                     if ($policy->isStrongerThan($default_policy)) {
                         // The policy has strictly been strengthened, and is now more
                         // restrictive than the default. For example, "All Users" has
                         // been replaced with "No One".
                         $container_classes[] = 'policy-adjusted-stronger';
                     } else {
                         // The policy has been adjusted but not strictly strengthened
                         // or weakened. For example, "Members of X" has been replaced with
                         // "Members of Y".
                         $container_classes[] = 'policy-adjusted-different';
                     }
                 }
             }
         }
     }
     $icon = id(new PHUIIconView())->setIcon($policy->getIcon() . ' bluegrey');
     $link = javelin_tag('a', array('class' => 'policy-link', 'href' => '/policy/explain/' . $phid . '/' . $view_capability . '/', 'sigil' => 'workflow'), $policy->getShortName());
     return phutil_tag('span', array('class' => implode(' ', $container_classes)), array($icon, $link));
 }
示例#6
0
 private function renderPolicyProperty(PhabricatorPolicyInterface $object)
 {
     $policies = PhabricatorPolicyQuery::loadPolicies($this->getUser(), $object);
     $view_capability = PhabricatorPolicyCapability::CAN_VIEW;
     $policy = idx($policies, $view_capability);
     if (!$policy) {
         return null;
     }
     $phid = $object->getPHID();
     $icon = id(new PHUIIconView())->setIconFont($policy->getIcon() . ' bluegrey');
     $link = javelin_tag('a', array('class' => 'policy-link', 'href' => '/policy/explain/' . $phid . '/' . $view_capability . '/', 'sigil' => 'workflow'), $policy->getShortName());
     return array($icon, $link);
 }