private function appendSpaceInformation(AphrontDialogView $dialog, PhabricatorPolicyInterface $object, PhabricatorPolicy $policy, $capability)
{
$viewer = $this->getViewer();
if (!$object instanceof PhabricatorSpacesInterface) {
return;
}
if (!PhabricatorSpacesNamespaceQuery::getSpacesExist($viewer)) {
return;
}
// NOTE: We're intentionally letting users through here, even if they only
// have access to one space. The intent is to help users in "space jail"
// understand who objects they create are visible to:
$space_phid = PhabricatorSpacesNamespaceQuery::getObjectSpacePHID($object);
$handles = $viewer->loadHandles(array($space_phid));
$doc_href = PhabricatorEnv::getDoclink('Spaces User Guide');
$dialog->appendParagraph(array(pht('This object is in %s, and can only be seen or edited by users with ' . 'access to view objects in the space.', $handles[$space_phid]->renderLink()), ' ', phutil_tag('strong', array(), phutil_tag('a', array('href' => $doc_href, 'target' => '_blank'), pht('Learn More')))));
$spaces = PhabricatorSpacesNamespaceQuery::getViewerSpaces($viewer);
$space = idx($spaces, $space_phid);
if (!$space) {
return;
}
$space_policies = PhabricatorPolicyQuery::loadPolicies($viewer, $space);
$space_policy = idx($space_policies, PhabricatorPolicyCapability::CAN_VIEW);
if (!$space_policy) {
return;
}
$space_explanation = PhabricatorPolicy::getPolicyExplanation($viewer, $space_policy->getPHID());
$items = array();
$items[] = $space_explanation;
foreach ($items as $key => $item) {
$items[$key] = phutil_tag('li', array(), $item);
}
$dialog->appendParagraph(pht('Users who can see objects in this space:'));
$dialog->appendChild(phutil_tag('ul', array(), $items));
$view_capability = PhabricatorPolicyCapability::CAN_VIEW;
if ($capability == $view_capability) {
$stronger = $space_policy->isStrongerThan($policy);
if ($stronger) {
$dialog->appendParagraph(pht('The space this object is in has a more restrictive view ' . 'policy ("%s") than the object does ("%s"), so the space\'s ' . 'view policy is shown as a hint instead of the object policy.', $space_policy->getShortName(), $policy->getShortName()));
}
}
$dialog->appendParagraph(pht('After a user passes space policy checks, they must still pass ' . 'object policy checks.'));
}
private function buildSpaceSection(PhabricatorPolicyInterface $object, PhabricatorPolicy $policy, $capability)
{
$viewer = $this->getViewer();
if (!$object instanceof PhabricatorSpacesInterface) {
return null;
}
if (!PhabricatorSpacesNamespaceQuery::getSpacesExist($viewer)) {
return null;
}
$space_phid = PhabricatorSpacesNamespaceQuery::getObjectSpacePHID($object);
$spaces = PhabricatorSpacesNamespaceQuery::getViewerSpaces($viewer);
$space = idx($spaces, $space_phid);
if (!$space) {
return null;
}
$space_policies = PhabricatorPolicyQuery::loadPolicies($viewer, $space);
$space_policy = idx($space_policies, PhabricatorPolicyCapability::CAN_VIEW);
if (!$space_policy) {
return null;
}
$doc_href = PhabricatorEnv::getDoclink('Spaces User Guide');
$capability_name = $this->getCapabilityName($capability);
$space_section = id(new PHUIPolicySectionView())->setViewer($viewer)->setIcon('fa-th-large bluegrey')->setHeader(pht('Space'))->setDocumentationLink(pht('Spaces Documentation'), $doc_href)->appendList(array(array(phutil_tag('strong', array(), pht('Space:')), ' ', $viewer->renderHandle($space_phid)->setAsTag(true)), array(phutil_tag('strong', array(), pht('%s:', $capability_name)), ' ', $space_policy->getShortName())))->appendParagraph(pht('This object is in %s and can only be seen or edited by users ' . 'with access to view objects in the space.', $viewer->renderHandle($space_phid)));
$space_explanation = PhabricatorPolicy::getPolicyExplanation($viewer, $space_policy->getPHID());
$items = array();
$items[] = $space_explanation;
$space_section->appendParagraph(pht('Users who can see objects in this space:'))->appendList($items);
$view_capability = PhabricatorPolicyCapability::CAN_VIEW;
if ($capability == $view_capability) {
$stronger = $space_policy->isStrongerThan($policy);
if ($stronger) {
$space_section->appendHint(pht('The space this object is in has a more restrictive view ' . 'policy ("%s") than the object does ("%s"), so the space\'s ' . 'view policy is shown as a hint instead of the object policy.', $space_policy->getShortName(), $policy->getShortName()));
}
}
$space_section->appendHint(pht('After a user passes space policy checks, they must still pass ' . 'object policy checks.'));
return $space_section;
}
public function execute(PhutilArgumentParser $args)
{
$console = PhutilConsole::getConsole();
$viewer = $this->getViewer();
$obj_names = $args->getArg('objects');
if (!$obj_names) {
throw new PhutilArgumentUsageException(pht('Specify the name of an object to show policy information for.'));
} else {
if (count($obj_names) > 1) {
throw new PhutilArgumentUsageException(pht('Specify the name of exactly one object to show policy information ' . 'for.'));
}
}
$object = id(new PhabricatorObjectQuery())->setViewer($viewer)->withNames($obj_names)->executeOne();
if (!$object) {
$name = head($obj_names);
throw new PhutilArgumentUsageException(pht("No such object '%s'!", $name));
}
$handle = id(new PhabricatorHandleQuery())->setViewer($viewer)->withPHIDs(array($object->getPHID()))->executeOne();
$policies = PhabricatorPolicyQuery::loadPolicies($viewer, $object);
$console->writeOut("__%s__\n\n", pht('OBJECT'));
$console->writeOut(" %s\n", $handle->getFullName());
$console->writeOut("\n");
$console->writeOut("__%s__\n\n", pht('CAPABILITIES'));
foreach ($policies as $capability => $policy) {
$console->writeOut(" **%s**\n", $capability);
$console->writeOut(" %s\n", $policy->renderDescription());
$console->writeOut(" %s\n", PhabricatorPolicy::getPolicyExplanation($viewer, $policy->getPHID()));
$console->writeOut("\n");
$more = (array) $object->describeAutomaticCapability($capability);
if ($more) {
foreach ($more as $line) {
$console->writeOut(" %s\n", $line);
}
$console->writeOut("\n");
}
}
}
public function processRequest()
{
$request = $this->getRequest();
$viewer = $request->getUser();
$phid = $this->phid;
$capability = $this->capability;
$object = id(new PhabricatorObjectQuery())->setViewer($viewer)->withPHIDs(array($phid))->executeOne();
if (!$object) {
return new Aphront404Response();
}
$policies = PhabricatorPolicyQuery::loadPolicies($viewer, $object);
$policy = idx($policies, $capability);
if (!$policy) {
return new Aphront404Response();
}
$handle = id(new PhabricatorHandleQuery())->setViewer($viewer)->withPHIDs(array($phid))->executeOne();
$object_uri = nonempty($handle->getURI(), '/');
$explanation = PhabricatorPolicy::getPolicyExplanation($viewer, $policy->getPHID());
$auto_info = (array) $object->describeAutomaticCapability($capability);
$auto_info = array_merge(array($explanation), $auto_info);
$auto_info = array_filter($auto_info);
foreach ($auto_info as $key => $info) {
$auto_info[$key] = phutil_tag('li', array(), $info);
}
if ($auto_info) {
$auto_info = phutil_tag('ul', array(), $auto_info);
}
$capability_name = $capability;
$capobj = PhabricatorPolicyCapability::getCapabilityByKey($capability);
if ($capobj) {
$capability_name = $capobj->getCapabilityName();
}
$content = array(pht('Users with the "%s" capability:', $capability_name), $auto_info);
$object_name = pht('%s %s', $handle->getTypeName(), $handle->getObjectName());
$dialog = id(new AphrontDialogView())->setUser($viewer)->setClass('aphront-access-dialog')->setTitle(pht('Policy Details: %s', $object_name))->appendChild($content)->addCancelButton($object_uri, pht('Done'));
return id(new AphrontDialogResponse())->setDialog($dialog);
}
private function renderPolicyProperty(PhabricatorPolicyInterface $object)
{
$viewer = $this->getUser();
$policies = PhabricatorPolicyQuery::loadPolicies($viewer, $object);
$view_capability = PhabricatorPolicyCapability::CAN_VIEW;
$policy = idx($policies, $view_capability);
if (!$policy) {
return null;
}
// If an object is in a Space with a strictly stronger (more restrictive)
// policy, we show the more restrictive policy. This better aligns the
// UI hint with the actual behavior.
// NOTE: We'll do this even if the viewer has access to only one space, and
// show them information about the existence of spaces if they click
// through.
$use_space_policy = false;
if ($object instanceof PhabricatorSpacesInterface) {
$space_phid = PhabricatorSpacesNamespaceQuery::getObjectSpacePHID($object);
$spaces = PhabricatorSpacesNamespaceQuery::getViewerSpaces($viewer);
$space = idx($spaces, $space_phid);
if ($space) {
$space_policies = PhabricatorPolicyQuery::loadPolicies($viewer, $space);
$space_policy = idx($space_policies, $view_capability);
if ($space_policy) {
if ($space_policy->isStrongerThan($policy)) {
$policy = $space_policy;
$use_space_policy = true;
}
}
}
}
$container_classes = array();
$container_classes[] = 'policy-header-callout';
$phid = $object->getPHID();
// If we're going to show the object policy, try to determine if the object
// policy differs from the default policy. If it does, we'll call it out
// as changed.
if (!$use_space_policy) {
$default_policy = PhabricatorPolicyQuery::getDefaultPolicyForObject($viewer, $object, $view_capability);
if ($default_policy) {
if ($default_policy->getPHID() != $policy->getPHID()) {
$container_classes[] = 'policy-adjusted';
if ($default_policy->isStrongerThan($policy)) {
// The policy has strictly been weakened. For example, the
// default might be "All Users" and the current policy is "Public".
$container_classes[] = 'policy-adjusted-weaker';
} else {
if ($policy->isStrongerThan($default_policy)) {
// The policy has strictly been strengthened, and is now more
// restrictive than the default. For example, "All Users" has
// been replaced with "No One".
$container_classes[] = 'policy-adjusted-stronger';
} else {
// The policy has been adjusted but not strictly strengthened
// or weakened. For example, "Members of X" has been replaced with
// "Members of Y".
$container_classes[] = 'policy-adjusted-different';
}
}
}
}
}
$icon = id(new PHUIIconView())->setIcon($policy->getIcon() . ' bluegrey');
$link = javelin_tag('a', array('class' => 'policy-link', 'href' => '/policy/explain/' . $phid . '/' . $view_capability . '/', 'sigil' => 'workflow'), $policy->getShortName());
return phutil_tag('span', array('class' => implode(' ', $container_classes)), array($icon, $link));
}
private function renderPolicyProperty(PhabricatorPolicyInterface $object)
{
$policies = PhabricatorPolicyQuery::loadPolicies($this->getUser(), $object);
$view_capability = PhabricatorPolicyCapability::CAN_VIEW;
$policy = idx($policies, $view_capability);
if (!$policy) {
return null;
}
$phid = $object->getPHID();
$icon = id(new PHUIIconView())->setIconFont($policy->getIcon() . ' bluegrey');
$link = javelin_tag('a', array('class' => 'policy-link', 'href' => '/policy/explain/' . $phid . '/' . $view_capability . '/', 'sigil' => 'workflow'), $policy->getShortName());
return array($icon, $link);
}
