HomePhabricator

Add a "Can Disable Users" capability to the "People" application

Description

Add a "Can Disable Users" capability to the "People" application

Summary:
Depends on D19605. Ref T13189. See PHI642. This adds a separate "Can Disable Users" capability, and makes the underlying transaction use it.

This doesn't actually let you weaken the permission, since all pathways need more permissions:

  • user.edit needs CAN_EDIT.
  • user.disable/enable need admin.
  • Web UI workflow needs admin.

Upcoming changes will update these pathways.

Without additional changes, this does let you strengthen the permission.

This also fixes the inability to disable non-bot users via the web UI.

Test Plan:

  • Set permission to "No One", tried to disable users. Got a tailored policy error.
  • Set permission to "All Users", disabled/enabled a non-bot user.

Reviewers: amckinley

Maniphest Tasks: T13189

Differential Revision: https://secure.phabricator.com/D19606