Page MenuHomePhabricator

User unable to create repository if not in the "Default Edit Policy" of Diffusion Application
Open, Needs TriagePublic


I have a user who is getting an error when trying to create a new repository in Diffusion, and I believe everything is setup that he should be able to create the repository. When he finishes creating the repository he is presented with:

You Shall Not Pass: Unknown Object (VOID)	
You do not have permission to edit this object.
Users with the "Can Edit" capability:
Members of the project "Engineers - Power" can take this action.

After this, I checked ./bin/repository list just to see if a repository was actually created but it didn't appear to be.


Diffusion Application Policies look like:

Can Use ApplicationEmployeesThis is a project/group with all employees who can log into Phabricator
Can Configure ApplicationAdministratorsThis can't be modified in the Phabricator interface
Default View PolicyEngineersThis is a project/group with the software developers
Default Edit PolicyEngineers - PowerThis is a project/group with limited engineers for managing repositories
Default Push PolicyEngineers
Can Create RepositoriesCustom Policy=>Members of "Engineers" or members of "IT"

This user is a member of "Employees" and "IT". During the walkthrough of creating a repository, he configures the policies this way:

Visible ToIT
Editable ByIT
Can PushIT

I believe the issue is due to the user not being in the Diffusion application's "Default Edit Policy". After adding "IT" to the "Default Edit Policy" (as well as "Default View" and "Default Push") he was able to successfully create the repository.


Event Timeline

Anyways... this sounds correct. Why should a user be able to create something they can't edit?

Yea I'm really sorry about March 4th. I'll probably look at upgrading in the following weeks. I slowed down updating because of the new UI layout to differential revisions which I thought would upset some people, needed to wait for warmer weather, etc. :x)

Why should a user be able to create something they can't edit?

When he creates the repository he's setting the "Can Edit" to a group which he's a member of though. I was expecting that would overwrite the "Default Edit Policy" on diffusion.

If I set "Can Edit" to Noone and "Can Create" to Admins, I can create repositories. But this is current Phabricator.

Nevermind I am wrong. Anyways, @epriestley can explain policies better. I think this is correct on our side.

This would work now, except that there's no way to change "Edit Policy" from the initial form page.

I'm leaning toward supporting EditEngine forms, which would let you create a form with appropriate defaults. Since I think that's the likely way forward, I'm hesitant to try to work around this in the meantime.

For now, the more restrictive of "Can Create" and "Default Edit Policy" is the effective create policy.

This shouldn't apply to repositories created via the API, as long as they adjust the edit policy in the initial transaction group.

there's no way to change "Edit Policy" from the initial form page

Is that not the same thing as "Editable By" during repository creation?

Screen Shot 2016-06-17 at 4.51.04 PM.png (331×1 px, 53 KB)

Or are you saying that changing that field doesn't take effect until after the repository is created - meaning the walkthrough can't be completed due to requring "Default Edit Policy" at this next step?

There are two completely different flows. At HEAD, the flow is entirely different and uses none of the same code.

The old flow was simply buggy.

The new flow is not buggy, but there is no "Editable By" field until you create the repository, so you don't have an opportunity to change the edit policy.

Ah sorry for the confusion. I was trying to keep up to date on the weekly updates and didn't realize this flow had changed. I'll look at upgrading in the following week or two.

eadler added a project: Restricted Project.Sep 15 2016, 6:08 PM
epriestley edited projects, added Diffusion (v3); removed Diffusion.

Isn't that a dup of T8611?

IMO, the WUI for creating the new repository should have the policies including space, edit policy and view policy. Like for creating new Maniphest tasks

The space part is also important. Otherwise the repository will initially land in the first space the user has access to.