diff --git a/resources/sql/autopatches/20151114.passphrase.revealpolicy.1.sql b/resources/sql/autopatches/20151114.passphrase.revealpolicy.1.sql
new file mode 100644
--- /dev/null
+++ b/resources/sql/autopatches/20151114.passphrase.revealpolicy.1.sql
@@ -0,0 +1,2 @@
+ALTER TABLE {$NAMESPACE}_passphrase.passphrase_credential
+ ADD revealPolicy VARBINARY(64) NOT NULL AFTER editPolicy;
diff --git a/resources/sql/autopatches/20151114.passphrase.revealpolicy.2.sql b/resources/sql/autopatches/20151114.passphrase.revealpolicy.2.sql
new file mode 100644
--- /dev/null
+++ b/resources/sql/autopatches/20151114.passphrase.revealpolicy.2.sql
@@ -0,0 +1,3 @@
+UPDATE {$NAMESPACE}_passphrase.passphrase_credential
+ SET revealPolicy = editPolicy
+ WHERE revealPolicy = '';
diff --git a/resources/sql/autopatches/20151114.passphrase.revealpolicy.3.sql b/resources/sql/autopatches/20151114.passphrase.revealpolicy.3.sql
new file mode 100644
--- /dev/null
+++ b/resources/sql/autopatches/20151114.passphrase.revealpolicy.3.sql
@@ -0,0 +1,3 @@
+UPDATE {$NAMESPACE}_passphrase.passphrase_credentialtransaction
+ SET transactionType = 'passphrase:revealed'
+ WHERE transactionType = 'passphrase:lookedAtSecret'
diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@@ -1519,12 +1519,14 @@
'PassphraseCredentialViewController' => 'applications/passphrase/controller/PassphraseCredentialViewController.php',
'PassphraseDAO' => 'applications/passphrase/storage/PassphraseDAO.php',
'PassphraseDefaultEditCapability' => 'applications/passphrase/capability/PassphraseDefaultEditCapability.php',
+ 'PassphraseDefaultRevealCapability' => 'applications/passphrase/capability/PassphraseDefaultRevealCapability.php',
'PassphraseDefaultViewCapability' => 'applications/passphrase/capability/PassphraseDefaultViewCapability.php',
'PassphraseNoteCredentialType' => 'applications/passphrase/credentialtype/PassphraseNoteCredentialType.php',
'PassphrasePasswordCredentialType' => 'applications/passphrase/credentialtype/PassphrasePasswordCredentialType.php',
'PassphrasePasswordKey' => 'applications/passphrase/keys/PassphrasePasswordKey.php',
'PassphraseQueryConduitAPIMethod' => 'applications/passphrase/conduit/PassphraseQueryConduitAPIMethod.php',
'PassphraseRemarkupRule' => 'applications/passphrase/remarkup/PassphraseRemarkupRule.php',
+ 'PassphraseRevealCapability' => 'applications/passphrase/capability/PassphraseRevealCapability.php',
'PassphraseSSHGeneratedKeyCredentialType' => 'applications/passphrase/credentialtype/PassphraseSSHGeneratedKeyCredentialType.php',
'PassphraseSSHKey' => 'applications/passphrase/keys/PassphraseSSHKey.php',
'PassphraseSSHPrivateKeyCredentialType' => 'applications/passphrase/credentialtype/PassphraseSSHPrivateKeyCredentialType.php',
@@ -5498,12 +5500,14 @@
'PassphraseCredentialViewController' => 'PassphraseController',
'PassphraseDAO' => 'PhabricatorLiskDAO',
'PassphraseDefaultEditCapability' => 'PhabricatorPolicyCapability',
+ 'PassphraseDefaultRevealCapability' => 'PhabricatorPolicyCapability',
'PassphraseDefaultViewCapability' => 'PhabricatorPolicyCapability',
'PassphraseNoteCredentialType' => 'PassphraseCredentialType',
'PassphrasePasswordCredentialType' => 'PassphraseCredentialType',
'PassphrasePasswordKey' => 'PassphraseAbstractKey',
'PassphraseQueryConduitAPIMethod' => 'PassphraseConduitAPIMethod',
'PassphraseRemarkupRule' => 'PhabricatorObjectRemarkupRule',
+ 'PassphraseRevealCapability' => 'PhabricatorPolicyCapability',
'PassphraseSSHGeneratedKeyCredentialType' => 'PassphraseSSHPrivateKeyCredentialType',
'PassphraseSSHKey' => 'PassphraseAbstractKey',
'PassphraseSSHPrivateKeyCredentialType' => 'PassphraseCredentialType',
diff --git a/src/applications/passphrase/application/PhabricatorPassphraseApplication.php b/src/applications/passphrase/application/PhabricatorPassphraseApplication.php
--- a/src/applications/passphrase/application/PhabricatorPassphraseApplication.php
+++ b/src/applications/passphrase/application/PhabricatorPassphraseApplication.php
@@ -80,6 +80,13 @@
'capability' => PhabricatorPolicyCapability::CAN_EDIT,
'default' => $policy_key,
),
+ PassphraseDefaultRevealCapability::CAPABILITY => array(
+ 'caption' => pht(
+ 'Default reveal policy for newly created credentials.'),
+ 'template' => PassphraseCredentialPHIDType::TYPECONST,
+ 'capability' => PassphraseDefaultRevealCapability::CAPABILITY,
+ 'default' => $policy_key,
+ ),
);
}
diff --git a/src/applications/passphrase/capability/PassphraseDefaultRevealCapability.php b/src/applications/passphrase/capability/PassphraseDefaultRevealCapability.php
new file mode 100644
--- /dev/null
+++ b/src/applications/passphrase/capability/PassphraseDefaultRevealCapability.php
@@ -0,0 +1,12 @@
+<?php
+
+final class PassphraseDefaultRevealCapability
+ extends PhabricatorPolicyCapability {
+
+ const CAPABILITY = 'passphrase.default.reveal';
+
+ public function getCapabilityName() {
+ return pht('Default Reveal Policy');
+ }
+
+}
diff --git a/src/applications/passphrase/capability/PassphraseRevealCapability.php b/src/applications/passphrase/capability/PassphraseRevealCapability.php
new file mode 100644
--- /dev/null
+++ b/src/applications/passphrase/capability/PassphraseRevealCapability.php
@@ -0,0 +1,15 @@
+<?php
+
+final class PassphraseRevealCapability extends PhabricatorPolicyCapability {
+
+ const CAPABILITY = 'passphrase.reveal';
+
+ public function getCapabilityName() {
+ return pht('Revealable By');
+ }
+
+ public function describeCapabilityRejection() {
+ return pht('You do not have permission to reveal this secret.');
+ }
+
+}
diff --git a/src/applications/passphrase/controller/PassphraseCredentialEditController.php b/src/applications/passphrase/controller/PassphraseCredentialEditController.php
--- a/src/applications/passphrase/controller/PassphraseCredentialEditController.php
+++ b/src/applications/passphrase/controller/PassphraseCredentialEditController.php
@@ -85,6 +85,7 @@
$v_username = $request->getStr('username');
$v_view_policy = $request->getStr('viewPolicy');
$v_edit_policy = $request->getStr('editPolicy');
+ $v_reveal_policy = $request->getStr('revealPolicy');
$v_is_locked = $request->getStr('lock');
$v_secret = $request->getStr('secret');
@@ -123,6 +124,8 @@
$type_is_locked = PassphraseCredentialTransaction::TYPE_LOCK;
$type_view_policy = PhabricatorTransactions::TYPE_VIEW_POLICY;
$type_edit_policy = PhabricatorTransactions::TYPE_EDIT_POLICY;
+ $type_reveal_policy =
+ PassphraseCredentialTransaction::TYPE_REVEAL_POLICY;
$type_space = PhabricatorTransactions::TYPE_SPACE;
$xactions = array();
@@ -144,6 +147,10 @@
->setNewValue($v_edit_policy);
$xactions[] = id(new PassphraseCredentialTransaction())
+ ->setTransactionType($type_reveal_policy)
+ ->setNewValue($v_reveal_policy);
+
+ $xactions[] = id(new PassphraseCredentialTransaction())
->setTransactionType($type_space)
->setNewValue($v_space);
@@ -212,6 +219,7 @@
$credential->setViewPolicy($v_view_policy);
$credential->setEditPolicy($v_edit_policy);
+ $credential->setRevealPolicy($v_reveal_policy);
}
}
}
@@ -258,6 +266,12 @@
->setPolicyObject($credential)
->setCapability(PhabricatorPolicyCapability::CAN_EDIT)
->setPolicies($policies))
+ ->appendControl(
+ id(new AphrontFormPolicyControl())
+ ->setName('revealPolicy')
+ ->setPolicyObject($credential)
+ ->setCapability(PassphraseRevealCapability::CAPABILITY)
+ ->setPolicies($policies))
->appendChild(
id(new AphrontFormDividerControl()));
diff --git a/src/applications/passphrase/controller/PassphraseCredentialRevealController.php b/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
--- a/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
+++ b/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
@@ -13,7 +13,7 @@
->requireCapabilities(
array(
PhabricatorPolicyCapability::CAN_VIEW,
- PhabricatorPolicyCapability::CAN_EDIT,
+ PassphraseRevealCapability::CAPABILITY,
))
->needSecrets(true)
->executeOne();
@@ -66,10 +66,10 @@
->setDisableWorkflowOnCancel(true)
->addCancelButton($view_uri, pht('Done'));
- $type_secret = PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET;
+ $type_revealed = PassphraseCredentialTransaction::TYPE_REVEALED;
$xactions = array(
id(new PassphraseCredentialTransaction())
- ->setTransactionType($type_secret)
+ ->setTransactionType($type_revealed)
->setNewValue(true),
);
diff --git a/src/applications/passphrase/controller/PassphraseCredentialViewController.php b/src/applications/passphrase/controller/PassphraseCredentialViewController.php
--- a/src/applications/passphrase/controller/PassphraseCredentialViewController.php
+++ b/src/applications/passphrase/controller/PassphraseCredentialViewController.php
@@ -97,6 +97,10 @@
$viewer,
$credential,
PhabricatorPolicyCapability::CAN_EDIT);
+ $can_reveal = PhabricatorPolicyFilter::hasCapability(
+ $viewer,
+ $credential,
+ PassphraseRevealCapability::CAPABILITY);
$actions->addAction(
id(new PhabricatorActionView())
@@ -117,10 +121,10 @@
$actions->addAction(
id(new PhabricatorActionView())
- ->setName(pht('Show Secret'))
+ ->setName(pht('Reveal Secret'))
->setIcon('fa-eye')
->setHref($this->getApplicationURI("reveal/{$id}/"))
- ->setDisabled(!$can_edit || $is_locked)
+ ->setDisabled(!$can_reveal || $is_locked)
->setWorkflow(true));
if ($type->hasPublicKey()) {
@@ -177,6 +181,10 @@
pht('Editable By'),
$descriptions[PhabricatorPolicyCapability::CAN_EDIT]);
+ $properties->addProperty(
+ pht('Revealable By'),
+ $descriptions[PassphraseRevealCapability::CAPABILITY]);
+
if ($type->shouldRequireUsername()) {
$properties->addProperty(
pht('Username'),
diff --git a/src/applications/passphrase/editor/PassphraseCredentialTransactionEditor.php b/src/applications/passphrase/editor/PassphraseCredentialTransactionEditor.php
--- a/src/applications/passphrase/editor/PassphraseCredentialTransactionEditor.php
+++ b/src/applications/passphrase/editor/PassphraseCredentialTransactionEditor.php
@@ -22,9 +22,10 @@
$types[] = PassphraseCredentialTransaction::TYPE_USERNAME;
$types[] = PassphraseCredentialTransaction::TYPE_SECRET_ID;
$types[] = PassphraseCredentialTransaction::TYPE_DESTROY;
- $types[] = PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET;
+ $types[] = PassphraseCredentialTransaction::TYPE_REVEALED;
$types[] = PassphraseCredentialTransaction::TYPE_LOCK;
$types[] = PassphraseCredentialTransaction::TYPE_CONDUIT;
+ $types[] = PassphraseCredentialTransaction::TYPE_REVEAL_POLICY;
return $types;
}
@@ -50,11 +51,11 @@
return (int)$object->getIsLocked();
case PassphraseCredentialTransaction::TYPE_CONDUIT:
return (int)$object->getAllowConduit();
- case PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET:
+ case PassphraseCredentialTransaction::TYPE_REVEALED:
return null;
+ default:
+ return parent::getCustomTransactionOldValue($object, $xaction);
}
-
- return parent::getCustomTransactionOldValue($object, $xaction);
}
protected function getCustomTransactionNewValue(
@@ -65,15 +66,17 @@
case PassphraseCredentialTransaction::TYPE_DESCRIPTION:
case PassphraseCredentialTransaction::TYPE_USERNAME:
case PassphraseCredentialTransaction::TYPE_SECRET_ID:
- case PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET:
+ case PassphraseCredentialTransaction::TYPE_REVEALED:
return $xaction->getNewValue();
case PassphraseCredentialTransaction::TYPE_DESTROY:
case PassphraseCredentialTransaction::TYPE_LOCK:
return (int)$xaction->getNewValue();
case PassphraseCredentialTransaction::TYPE_CONDUIT:
return (int)$xaction->getNewValue();
+
+ default:
+ return parent::getCustomTransactionNewValue($object, $xaction);
}
- return parent::getCustomTransactionNewValue($object, $xaction);
}
protected function applyCustomInternalTransaction(
@@ -108,7 +111,7 @@
}
}
return;
- case PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET:
+ case PassphraseCredentialTransaction::TYPE_REVEALED:
return;
case PassphraseCredentialTransaction::TYPE_LOCK:
$object->setIsLocked((int)$xaction->getNewValue());
@@ -116,9 +119,14 @@
case PassphraseCredentialTransaction::TYPE_CONDUIT:
$object->setAllowConduit((int)$xaction->getNewValue());
return;
- }
- return parent::applyCustomInternalTransaction($object, $xaction);
+ case PassphraseCredentialTransaction::TYPE_REVEAL_POLICY:
+ $object->setRevealPolicy($xaction->getNewValue());
+ break;
+
+ default:
+ return parent::applyCustomInternalTransaction($object, $xaction);
+ }
}
protected function applyCustomExternalTransaction(
@@ -131,13 +139,15 @@
case PassphraseCredentialTransaction::TYPE_USERNAME:
case PassphraseCredentialTransaction::TYPE_SECRET_ID:
case PassphraseCredentialTransaction::TYPE_DESTROY:
- case PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET:
+ case PassphraseCredentialTransaction::TYPE_REVEALED:
case PassphraseCredentialTransaction::TYPE_LOCK:
case PassphraseCredentialTransaction::TYPE_CONDUIT:
+ case PassphraseCredentialTransaction::TYPE_REVEAL_POLICY:
return;
- }
- return parent::applyCustomExternalTransaction($object, $xaction);
+ default:
+ return parent::applyCustomExternalTransaction($object, $xaction);
+ }
}
private function destroySecret($secret_id) {
diff --git a/src/applications/passphrase/storage/PassphraseCredential.php b/src/applications/passphrase/storage/PassphraseCredential.php
--- a/src/applications/passphrase/storage/PassphraseCredential.php
+++ b/src/applications/passphrase/storage/PassphraseCredential.php
@@ -14,6 +14,7 @@
protected $providesType;
protected $viewPolicy;
protected $editPolicy;
+ protected $revealPolicy;
protected $description;
protected $username;
protected $secretID;
@@ -33,6 +34,8 @@
$view_policy = $app->getPolicy(PassphraseDefaultViewCapability::CAPABILITY);
$edit_policy = $app->getPolicy(PassphraseDefaultEditCapability::CAPABILITY);
+ $reveal_policy = $app->getPolicy(
+ PassphraseDefaultRevealCapability::CAPABILITY);
return id(new PassphraseCredential())
->setName('')
@@ -42,6 +45,7 @@
->setAuthorPHID($actor->getPHID())
->setViewPolicy($view_policy)
->setEditPolicy($edit_policy)
+ ->setRevealPolicy($reveal_policy)
->setSpacePHID($actor->getDefaultSpacePHID());
}
@@ -62,6 +66,7 @@
'isDestroyed' => 'bool',
'isLocked' => 'bool',
'allowConduit' => 'bool',
+ 'revealPolicy' => 'policy',
),
self::CONFIG_KEY_SCHEMA => array(
'key_secret' => array(
@@ -128,6 +133,7 @@
return array(
PhabricatorPolicyCapability::CAN_VIEW,
PhabricatorPolicyCapability::CAN_EDIT,
+ PassphraseRevealCapability::CAPABILITY,
);
}
@@ -137,6 +143,8 @@
return $this->getViewPolicy();
case PhabricatorPolicyCapability::CAN_EDIT:
return $this->getEditPolicy();
+ case PassphraseRevealCapability::CAPABILITY:
+ return $this->getRevealPolicy();
}
}
diff --git a/src/applications/passphrase/storage/PassphraseCredentialTransaction.php b/src/applications/passphrase/storage/PassphraseCredentialTransaction.php
--- a/src/applications/passphrase/storage/PassphraseCredentialTransaction.php
+++ b/src/applications/passphrase/storage/PassphraseCredentialTransaction.php
@@ -3,14 +3,15 @@
final class PassphraseCredentialTransaction
extends PhabricatorApplicationTransaction {
- const TYPE_NAME = 'passphrase:name';
- const TYPE_DESCRIPTION = 'passphrase:description';
- const TYPE_USERNAME = 'passphrase:username';
- const TYPE_SECRET_ID = 'passphrase:secretID';
- const TYPE_DESTROY = 'passphrase:destroy';
- const TYPE_LOOKEDATSECRET = 'passphrase:lookedAtSecret';
- const TYPE_LOCK = 'passphrase:lock';
- const TYPE_CONDUIT = 'passphrase:conduit';
+ const TYPE_NAME = 'passphrase:name';
+ const TYPE_DESCRIPTION = 'passphrase:description';
+ const TYPE_USERNAME = 'passphrase:username';
+ const TYPE_SECRET_ID = 'passphrase:secretID';
+ const TYPE_DESTROY = 'passphrase:destroy';
+ const TYPE_REVEALED = 'passphrase:revealed';
+ const TYPE_LOCK = 'passphrase:lock';
+ const TYPE_CONDUIT = 'passphrase:conduit';
+ const TYPE_REVEAL_POLICY = 'passphrase:reveal-policy';
public function getApplicationName() {
return 'passphrase';
@@ -24,6 +25,26 @@
return null;
}
+ public function getRequiredHandlePHIDs() {
+ $phids = parent::getRequiredHandlePHIDs();
+
+ $old = $this->getOldValue();
+ $new = $this->getNewValue();
+
+ switch ($this->getTransactionType()) {
+ case self::TYPE_REVEAL_POLICY:
+ if ($old) {
+ $phids[] = $old;
+ }
+ if ($new) {
+ $phids[] = $new;
+ }
+ break;
+ }
+
+ return $phids;
+ }
+
public function shouldHide() {
$old = $this->getOldValue();
switch ($this->getTransactionType()) {
@@ -33,7 +54,7 @@
return ($old === null);
case self::TYPE_USERNAME:
return !strlen($old);
- case self::TYPE_LOOKEDATSECRET:
+ case self::TYPE_REVEALED:
return false;
}
return parent::shouldHide();
@@ -84,9 +105,9 @@
return pht(
'%s destroyed this credential.',
$this->renderHandleLink($author_phid));
- case self::TYPE_LOOKEDATSECRET:
+ case self::TYPE_REVEALED:
return pht(
- '%s examined the secret plaintext for this credential.',
+ '%s revealed the secret plaintext for this credential.',
$this->renderHandleLink($author_phid));
case self::TYPE_LOCK:
return pht(
@@ -103,6 +124,12 @@
$this->renderHandleLink($author_phid));
}
break;
+ case self::TYPE_REVEAL_POLICY:
+ return pht(
+ '%s changed the reveal policy from "%s" to "%s".',
+ $this->renderHandleLink($author_phid),
+ $this->renderPolicyName($old, 'old'),
+ $this->renderPolicyName($new, 'new'));
}
return parent::getTitle();
diff --git a/src/applications/paste/storage/PhabricatorPaste.php b/src/applications/paste/storage/PhabricatorPaste.php
--- a/src/applications/paste/storage/PhabricatorPaste.php
+++ b/src/applications/paste/storage/PhabricatorPaste.php
@@ -183,12 +183,12 @@
}
public function getPolicy($capability) {
- if ($capability == PhabricatorPolicyCapability::CAN_VIEW) {
- return $this->viewPolicy;
- } else if ($capability == PhabricatorPolicyCapability::CAN_EDIT) {
- return $this->editPolicy;
+ switch ($capability) {
+ case PhabricatorPolicyCapability::CAN_VIEW:
+ return $this->viewPolicy;
+ case PhabricatorPolicyCapability::CAN_EDIT:
+ return $this->editPolicy;
}
- return PhabricatorPolicies::POLICY_NOONE;
}
public function hasAutomaticCapability($capability, PhabricatorUser $user) {
diff --git a/src/applications/transactions/constants/PhabricatorTransactions.php b/src/applications/transactions/constants/PhabricatorTransactions.php
--- a/src/applications/transactions/constants/PhabricatorTransactions.php
+++ b/src/applications/transactions/constants/PhabricatorTransactions.php
@@ -12,7 +12,7 @@
const TYPE_BUILDABLE = 'harbormaster:buildable';
const TYPE_TOKEN = 'token:give';
const TYPE_INLINESTATE = 'core:inlinestate';
- const TYPE_SPACE = 'core:space';
+ const TYPE_SPACE = 'core:space';
const COLOR_RED = 'red';
const COLOR_ORANGE = 'orange';