Page MenuHomePhabricator

Herald Rule not inheriting Object policy from Project in a way I understand
Open, Needs TriagePublic


I'm creating a Herald Rule for commits for a project. (I'm anticipating triggering the rule whenever a commit gets pushed to a repository that's tagged with that project or whenever a commit gets tagged with that project. Maybe that's not what it's intended for?) Even though I have permissions to edit the project, I end up not having permissions to edit the rule after I create it.


Steps to reproduce:

  1. Create a project with the following:
    • Set the Edit Policy to "Project Members".
    • Add yourself as an initial member.
  2. Create a Herald Rule with the following:
    • Create it for "Commits", "Commit Hook: Branches/Tags/Bookmarks", or "Commit Hook: Commit Content".
    • Set the Rule Type to "Object".
    • Set the Object to your newly created project.
    • The Name, Conditions, and Action don't appear to affect the outcome. Set them to anything you like.


A new Herald Rule that you're allowed to edit?


A new Herald Rule that you can't edit.

You do not have permission to edit this object.
Users with the "Can Edit" capability:
* Project members can take this action.
* Object rules inherit the edit policies of their objects.

Additional Notes:

If you change the project's Edit Policy to, say, yourself or "All Users", then you're able to edit the Herald rule.

Event Timeline

This is a bug with how relative/object policies and inherited/indirect policies interact.

We're evaluating the "members-of(thing)" policy on the "herald-rule", producing "members-of(herald-rule)", which is meaningless.

This used to work when policies were all absolute, but got messy in some cases with the advent of relative/object policies. HeraldRule likely needs to implement PhabricatorExtendedPolicyInterface and express this edit capability as an extended policy.