User unable to create repository if not in the "Default Edit Policy" of Diffusion Application
Open, Needs TriagePublic
Actions

Assigned To

None

Authored By

	cspeckmim
	Jun 17 2016, 8:23 PM

Description

I have a user who is getting an error when trying to create a new repository in Diffusion, and I believe everything is setup that he should be able to create the repository. When he finishes creating the repository he is presented with:

You Shall Not Pass: Unknown Object (VOID)	
You do not have permission to edit this object.
Users with the "Can Edit" capability:
Members of the project "Engineers - Power" can take this action.

After this, I checked ./bin/repository list just to see if a repository was actually created but it didn't appear to be.

Reproducing

Diffusion Application Policies look like:

Policy	Value	Details
Can Use Application	Employees	This is a project/group with all employees who can log into Phabricator
Can Configure Application	Administrators	This can't be modified in the Phabricator interface
Default View Policy	Engineers	This is a project/group with the software developers
Default Edit Policy	Engineers - Power	This is a project/group with limited engineers for managing repositories
Default Push Policy	Engineers
Can Create Repositories	Custom Policy	=>Members of "Engineers" or members of "IT"

This user is a member of "Employees" and "IT". During the walkthrough of creating a repository, he configures the policies this way:

Policy	Value
Visible To	IT
Editable By	IT
Can Push	IT

Workaround

I believe the issue is due to the user not being in the Diffusion application's "Default Edit Policy". After adding "IT" to the "Default Edit Policy" (as well as "Default View" and "Default Push") he was able to successfully create the repository.

Install

libphutil	76425eaa812572cc02487db79f2dd43d93e3085f
arcanist	1439aaa871837031faa1ef26b81f1fb08e4a41e7
phabricator	2c67d9c8ace2800ec618549963c4036e92cb3a9b

Related Objects

Mentioned In: Z1336: General Chat
Mentioned Here: T8611: When Diffusion's "Can Create Repositories" application setting is "All Users," users still can't create repositories
rP2c67d9c8ace2: (stable) Promote 2016 Week 10
rARC1439aaa87183: (stable) Promote 2016 Week 10
rPHU76425eaa8125: (stable) Promote 2016 Week 10

Event Timeline

cspeckmim created this task.Jun 17 2016, 8:23 PM

Herald added a subscriber: eadler. · View Herald TranscriptJun 17 2016, 8:23 PM

March 4th?

Anyways... this sounds correct. Why should a user be able to create something they can't edit?

Yea I'm really sorry about March 4th. I'll probably look at upgrading in the following weeks. I slowed down updating because of the new UI layout to differential revisions which I thought would upset some people, needed to wait for warmer weather, etc. :x)

Why should a user be able to create something they can't edit?

When he creates the repository he's setting the "Can Edit" to a group which he's a member of though. I was expecting that would overwrite the "Default Edit Policy" on diffusion.

If I set "Can Edit" to Noone and "Can Create" to Admins, I can create repositories. But this is current Phabricator.

Nevermind I am wrong. Anyways, @epriestley can explain policies better. I think this is correct on our side.

This would work now, except that there's no way to change "Edit Policy" from the initial form page.

I'm leaning toward supporting EditEngine forms, which would let you create a form with appropriate defaults. Since I think that's the likely way forward, I'm hesitant to try to work around this in the meantime.

For now, the more restrictive of "Can Create" and "Default Edit Policy" is the effective create policy.

This shouldn't apply to repositories created via the API, as long as they adjust the edit policy in the initial transaction group.

there's no way to change "Edit Policy" from the initial form page

Is that not the same thing as "Editable By" during repository creation?

Screen Shot 2016-06-17 at 4.51.04 PM.png (331×1 px, 53 KB)

Or are you saying that changing that field doesn't take effect until after the repository is created - meaning the walkthrough can't be completed due to requring "Default Edit Policy" at this next step?

There are two completely different flows. At HEAD, the flow is entirely different and uses none of the same code.

The old flow was simply buggy.

The new flow is not buggy, but there is no "Editable By" field until you create the repository, so you don't have an opportunity to change the edit policy.

Ah sorry for the confusion. I was trying to keep up to date on the weekly updates and didn't realize this flow had changed. I'll look at upgrading in the following week or two.

joshuaspence added a subscriber: joshuaspence.Jun 18 2016, 2:11 AM

eadler added a project: Restricted Project.Sep 15 2016, 6:08 PM

chad mentioned this in Z1336: General Chat.Dec 7 2016, 5:00 AM

epriestley moved this task from Backlog to v3 on the Diffusion board.Jan 18 2017, 7:01 PM

epriestley edited projects, added Diffusion (v3); removed Diffusion.

epriestley moved this task from Backlog to Probably Actual Bugs on the Diffusion (v3) board.Feb 2 2017, 3:53 PM

Isn't that a dup of T8611?

IMO, the WUI for creating the new repository should have the policies including space, edit policy and view policy. Like for creating new Maniphest tasks

The space part is also important. Otherwise the repository will initially land in the first space the user has access to.

• pasik added a subscriber: • pasik.May 12 2018, 1:59 PM

	F1691160: Screen Shot 2016-06-17 at 4.51.04 PM.png
	Jun 17 2016, 8:55 PM

User unable to create repository if not in the "Default Edit Policy" of Diffusion ApplicationOpen, Needs TriagePublicActions