Page MenuHomePhabricator

allow ANDing (or negating) rules in custom policies
Open, Needs TriagePublic

Description

I was thinking about how to allow clients to have access to our phabricator and I think what is missing is the possibility to AND policy rules.

It would be nice if you can create rules like:

  • "allow" "members of projects" "myclient" AND "members of projects" "project1" AND "signers of legalpad documents" "L1"
  • "if no rules match": deny

So you can only access the object when you are member of myclient AND project1 AND have signed the legal pad document.

What would fit the current Edit Policy UI and accomplices the same is allowing to negate a rule so you can explicitly deny access to anyone who has not signed "L1" or is a member of a project :

  • "deny" NOT "signers of legalpad documents" "L1"
  • "deny" NOT "member of" "project1, myclient"
  • If No Rules Match: "allow"

Also, if you can AND (or negate) policy rules and you threat projects as namespaces, I think it is already close to a solution for T3820.