Fixes T9041. Let's non-admins see the page. Not sure how this ever worked?
Details
Details
- Reviewers
epriestley - Maniphest Tasks
- T9041: Control access to administrator capabilities with custom policies
Test on a non admin account, can see page, but not create users. Give permissions to All Users, See ability to create a real user.
Diff Detail
Diff Detail
- Repository
- rP Phabricator
- Branch
- people-perms
- Lint
Lint Passed - Unit
Tests Passed - Build Status
Buildable 7471 Build 7982: [Placeholder Plan] Wait for 30 Seconds Build 7981: arc lint + arc unit
Event Timeline
This comment was removed by eadler.
Comment Actions
This "works" because we added it for the Phacility cluster and use it to reduce access there (from "Administrators" to "No One").
I think this patch isn't correct. In particular, I believe it:
- allows any user to see this screen and try to create bot and mailing list users, even if they are not administrators; and
- doesn't actually allow creation of new users by non-administrators, since it just sends you to PhabricatorPeopleNewController after you make a choice, which also requires administrative access.
The "Can Create (non-bot) Users" permission doesn't mean "can create users", it means "assuming you can already create users because you are an administrator, can you create 'standard' (non-bot, non-list) users?". We added it to prevent Phacility instances from creating new unlinked user accounts, and it probably isn't very useful for much outside of that.
I'll follow up in T9041. I don't think there's a way forward here right now.