diff --git a/src/applications/policy/filter/PhabricatorPolicyFilter.php b/src/applications/policy/filter/PhabricatorPolicyFilter.php index 4ea7ce1549..63f3f98cec 100644 --- a/src/applications/policy/filter/PhabricatorPolicyFilter.php +++ b/src/applications/policy/filter/PhabricatorPolicyFilter.php @@ -1,991 +1,1015 @@ setViewer($user) ->requireCapabilities(array($capability)) ->raisePolicyExceptions(true) ->apply(array($object)); } /** * Perform a capability check, acting as though an object had a specific * policy. This is primarily used to check if a policy is valid (for example, * to prevent users from editing away their ability to edit an object). * * Specifically, a check like this: * * PhabricatorPolicyFilter::requireCapabilityWithForcedPolicy( * $viewer, * $object, * PhabricatorPolicyCapability::CAN_EDIT, * $potential_new_policy); * * ...will throw a @{class:PhabricatorPolicyException} if the new policy would * remove the user's ability to edit the object. * * @param PhabricatorUser The viewer to perform a policy check for. * @param PhabricatorPolicyInterface The object to perform a policy check on. * @param string Capability to test. * @param string Perform the test as though the object has this * policy instead of the policy it actually has. * @return void */ public static function requireCapabilityWithForcedPolicy( PhabricatorUser $viewer, PhabricatorPolicyInterface $object, $capability, $forced_policy) { id(new PhabricatorPolicyFilter()) ->setViewer($viewer) ->requireCapabilities(array($capability)) ->raisePolicyExceptions(true) ->forcePolicy($forced_policy) ->apply(array($object)); } public static function hasCapability( PhabricatorUser $user, PhabricatorPolicyInterface $object, $capability) { $filter = new PhabricatorPolicyFilter(); $filter->setViewer($user); $filter->requireCapabilities(array($capability)); $result = $filter->apply(array($object)); return (count($result) == 1); } public static function canInteract( PhabricatorUser $user, PhabricatorPolicyInterface $object) { $capabilities = self::getRequiredInteractCapabilities($object); foreach ($capabilities as $capability) { if (!self::hasCapability($user, $object, $capability)) { return false; } } return true; } public static function requireCanInteract( PhabricatorUser $user, PhabricatorPolicyInterface $object) { $capabilities = self::getRequiredInteractCapabilities($object); foreach ($capabilities as $capability) { self::requireCapability($user, $object, $capability); } } private static function getRequiredInteractCapabilities( PhabricatorPolicyInterface $object) { $capabilities = $object->getCapabilities(); $capabilities = array_fuse($capabilities); $can_interact = PhabricatorPolicyCapability::CAN_INTERACT; $can_view = PhabricatorPolicyCapability::CAN_VIEW; $require = array(); // If the object doesn't support a separate "Interact" capability, we // only use the "View" capability: for most objects, you can interact // with them if you can see them. $require[] = $can_view; if (isset($capabilities[$can_interact])) { $require[] = $can_interact; } return $require; } public function setViewer(PhabricatorUser $user) { $this->viewer = $user; return $this; } public function requireCapabilities(array $capabilities) { $this->capabilities = $capabilities; return $this; } public function raisePolicyExceptions($raise) { $this->raisePolicyExceptions = $raise; return $this; } public function forcePolicy($forced_policy) { $this->forcedPolicy = $forced_policy; return $this; } public function apply(array $objects) { assert_instances_of($objects, 'PhabricatorPolicyInterface'); $viewer = $this->viewer; $capabilities = $this->capabilities; if (!$viewer || !$capabilities) { throw new PhutilInvalidStateException('setViewer', 'requireCapabilities'); } // If the viewer is omnipotent, short circuit all the checks and just // return the input unmodified. This is an optimization; we know the // result already. if ($viewer->isOmnipotent()) { return $objects; } // Before doing any actual object checks, make sure the viewer can see // the applications that these objects belong to. This is normally enforced // in the Query layer before we reach object filtering, but execution // sometimes reaches policy filtering without running application checks. $objects = $this->applyApplicationChecks($objects); $filtered = array(); $viewer_phid = $viewer->getPHID(); if (empty($this->userProjects[$viewer_phid])) { $this->userProjects[$viewer_phid] = array(); } $need_projects = array(); $need_policies = array(); $need_objpolicies = array(); foreach ($objects as $key => $object) { $object_capabilities = $object->getCapabilities(); foreach ($capabilities as $capability) { if (!in_array($capability, $object_capabilities)) { throw new Exception( pht( 'Testing for capability "%s" on an object ("%s") which does '. 'not support that capability.', $capability, get_class($object))); } $policy = $this->getObjectPolicy($object, $capability); if (PhabricatorPolicyQuery::isObjectPolicy($policy)) { $need_objpolicies[$policy][] = $object; continue; } $type = phid_get_type($policy); if ($type == PhabricatorProjectProjectPHIDType::TYPECONST) { $need_projects[$policy] = $policy; continue; } if ($type == PhabricatorPolicyPHIDTypePolicy::TYPECONST) { $need_policies[$policy][] = $object; continue; } } } if ($need_objpolicies) { $this->loadObjectPolicies($need_objpolicies); } if ($need_policies) { $this->loadCustomPolicies($need_policies); } // If we need projects, check if any of the projects we need are also the // objects we're filtering. Because of how project rules work, this is a // common case. if ($need_projects) { foreach ($objects as $object) { if ($object instanceof PhabricatorProject) { $project_phid = $object->getPHID(); if (isset($need_projects[$project_phid])) { $is_member = $object->isUserMember($viewer_phid); $this->userProjects[$viewer_phid][$project_phid] = $is_member; unset($need_projects[$project_phid]); } } } } if ($need_projects) { $need_projects = array_unique($need_projects); // NOTE: We're using the omnipotent user here to avoid a recursive // descent into madness. We don't actually need to know if the user can // see these projects or not, since: the check is "user is member of // project", not "user can see project"; and membership implies // visibility anyway. Without this, we may load other projects and // re-enter the policy filter and generally create a huge mess. $projects = id(new PhabricatorProjectQuery()) ->setViewer(PhabricatorUser::getOmnipotentUser()) ->withMemberPHIDs(array($viewer->getPHID())) ->withPHIDs($need_projects) ->execute(); foreach ($projects as $project) { $this->userProjects[$viewer_phid][$project->getPHID()] = true; } } foreach ($objects as $key => $object) { foreach ($capabilities as $capability) { if (!$this->checkCapability($object, $capability)) { // If we're missing any capability, move on to the next object. continue 2; } } // If we make it here, we have all of the required capabilities. $filtered[$key] = $object; } // If we survived the primary checks, apply extended checks to objects // with extended policies. $results = array(); $extended = array(); foreach ($filtered as $key => $object) { if ($object instanceof PhabricatorExtendedPolicyInterface) { $extended[$key] = $object; } else { $results[$key] = $object; } } if ($extended) { $results += $this->applyExtendedPolicyChecks($extended); // Put results back in the original order. $results = array_select_keys($results, array_keys($filtered)); } return $results; } private function applyExtendedPolicyChecks(array $extended_objects) { $viewer = $this->viewer; $filter_capabilities = $this->capabilities; // Iterate over the objects we need to filter and pull all the nonempty // policies into a flat, structured list. $all_structs = array(); foreach ($extended_objects as $key => $extended_object) { foreach ($filter_capabilities as $extended_capability) { $extended_policies = $extended_object->getExtendedPolicy( $extended_capability, $viewer); if (!$extended_policies) { continue; } foreach ($extended_policies as $extended_policy) { list($object, $capabilities) = $extended_policy; // Build a description of the capabilities we need to check. This // will be something like `"view"`, or `"edit view"`, or possibly // a longer string with custom capabilities. Later, group the objects // up into groups which need the same capabilities tested. $capabilities = (array)$capabilities; $capabilities = array_fuse($capabilities); ksort($capabilities); $group = implode(' ', $capabilities); $struct = array( 'key' => $key, 'for' => $extended_capability, 'object' => $object, 'capabilities' => $capabilities, 'group' => $group, ); $all_structs[] = $struct; } } } // Extract any bare PHIDs from the structs; we need to load these objects. // These are objects which are required in order to perform an extended // policy check but which the original viewer did not have permission to // see (they presumably had other permissions which let them load the // object in the first place). $all_phids = array(); foreach ($all_structs as $idx => $struct) { $object = $struct['object']; if (is_string($object)) { $all_phids[$object] = $object; } } // If we have some bare PHIDs, we need to load the corresponding objects. if ($all_phids) { // We can pull these with the omnipotent user because we're immediately // filtering them. $ref_objects = id(new PhabricatorObjectQuery()) ->setViewer(PhabricatorUser::getOmnipotentUser()) ->withPHIDs($all_phids) ->execute(); $ref_objects = mpull($ref_objects, null, 'getPHID'); } else { $ref_objects = array(); } // Group the list of checks by the capabilities we need to check. $groups = igroup($all_structs, 'group'); foreach ($groups as $structs) { $head = head($structs); // All of the items in each group are checking for the same capabilities. $capabilities = $head['capabilities']; $key_map = array(); $objects_in = array(); foreach ($structs as $struct) { $extended_key = $struct['key']; if (empty($extended_objects[$extended_key])) { // If this object has already been rejected by an earlier filtering // pass, we don't need to do any tests on it. continue; } $object = $struct['object']; if (is_string($object)) { // This is really a PHID, so look it up. $object_phid = $object; if (empty($ref_objects[$object_phid])) { // We weren't able to load the corresponding object, so just // reject this result outright. $reject = $extended_objects[$extended_key]; unset($extended_objects[$extended_key]); // TODO: This could be friendlier. $this->rejectObject($reject, false, ''); continue; } $object = $ref_objects[$object_phid]; } $phid = $object->getPHID(); $key_map[$phid][] = $extended_key; $objects_in[$phid] = $object; } if ($objects_in) { $objects_out = $this->executeExtendedPolicyChecks( $viewer, $capabilities, $objects_in, $key_map); $objects_out = mpull($objects_out, null, 'getPHID'); } else { $objects_out = array(); } // If any objects were removed by filtering, we're going to reject all // of the original objects which needed them. foreach ($objects_in as $phid => $object_in) { if (isset($objects_out[$phid])) { // This object survived filtering, so we don't need to throw any // results away. continue; } foreach ($key_map[$phid] as $extended_key) { if (empty($extended_objects[$extended_key])) { // We've already rejected this object, so we don't need to reject // it again. continue; } $reject = $extended_objects[$extended_key]; unset($extended_objects[$extended_key]); // It's possible that we're rejecting this object for multiple // capability/policy failures, but just pick the first one to show // to the user. $first_capability = head($capabilities); $first_policy = $object_in->getPolicy($first_capability); $this->rejectObject($reject, $first_policy, $first_capability); } } } return $extended_objects; } private function executeExtendedPolicyChecks( PhabricatorUser $viewer, array $capabilities, array $objects, array $key_map) { // Do crude cycle detection by seeing if we have a huge stack depth. // Although more sophisticated cycle detection is possible in theory, // it is difficult with hierarchical objects like subprojects. Many other // checks make it difficult to create cycles normally, so just do a // simple check here to limit damage. static $depth; $depth++; if ($depth > 32) { foreach ($objects as $key => $object) { $this->rejectObject($objects[$key], false, ''); unset($objects[$key]); continue; } } if (!$objects) { return array(); } $caught = null; try { $result = id(new PhabricatorPolicyFilter()) ->setViewer($viewer) ->requireCapabilities($capabilities) ->apply($objects); } catch (Exception $ex) { $caught = $ex; } $depth--; if ($caught) { throw $caught; } return $result; } private function checkCapability( PhabricatorPolicyInterface $object, $capability) { $policy = $this->getObjectPolicy($object, $capability); if (!$policy) { // TODO: Formalize this somehow? $policy = PhabricatorPolicies::POLICY_USER; } if ($policy == PhabricatorPolicies::POLICY_PUBLIC) { // If the object is set to "public" but that policy is disabled for this // install, restrict the policy to "user". if (!PhabricatorEnv::getEnvConfig('policy.allow-public')) { $policy = PhabricatorPolicies::POLICY_USER; } // If the object is set to "public" but the capability is not a public // capability, restrict the policy to "user". $capobj = PhabricatorPolicyCapability::getCapabilityByKey($capability); if (!$capobj || !$capobj->shouldAllowPublicPolicySetting()) { $policy = PhabricatorPolicies::POLICY_USER; } } $viewer = $this->viewer; if ($viewer->isOmnipotent()) { return true; } if ($object instanceof PhabricatorSpacesInterface) { $space_phid = $object->getSpacePHID(); if (!$this->canViewerSeeObjectsInSpace($viewer, $space_phid)) { $this->rejectObjectFromSpace($object, $space_phid); return false; } } if ($object->hasAutomaticCapability($capability, $viewer)) { return true; } switch ($policy) { case PhabricatorPolicies::POLICY_PUBLIC: return true; case PhabricatorPolicies::POLICY_USER: if ($viewer->getPHID()) { return true; } else { $this->rejectObject($object, $policy, $capability); } break; case PhabricatorPolicies::POLICY_ADMIN: if ($viewer->getIsAdmin()) { return true; } else { $this->rejectObject($object, $policy, $capability); } break; case PhabricatorPolicies::POLICY_NOONE: $this->rejectObject($object, $policy, $capability); break; default: if (PhabricatorPolicyQuery::isObjectPolicy($policy)) { if ($this->checkObjectPolicy($policy, $object)) { return true; } else { $this->rejectObject($object, $policy, $capability); break; } } $type = phid_get_type($policy); if ($type == PhabricatorProjectProjectPHIDType::TYPECONST) { if (!empty($this->userProjects[$viewer->getPHID()][$policy])) { return true; } else { $this->rejectObject($object, $policy, $capability); } } else if ($type == PhabricatorPeopleUserPHIDType::TYPECONST) { if ($viewer->getPHID() == $policy) { return true; } else { $this->rejectObject($object, $policy, $capability); } } else if ($type == PhabricatorPolicyPHIDTypePolicy::TYPECONST) { if ($this->checkCustomPolicy($policy, $object)) { return true; } else { $this->rejectObject($object, $policy, $capability); } } else { // Reject objects with unknown policies. $this->rejectObject($object, false, $capability); } } return false; } public function rejectObject( PhabricatorPolicyInterface $object, $policy, $capability) { + $viewer = $this->viewer; if (!$this->raisePolicyExceptions) { return; } - if ($this->viewer->isOmnipotent()) { + if ($viewer->isOmnipotent()) { // Never raise policy exceptions for the omnipotent viewer. Although we // will never normally issue a policy rejection for the omnipotent // viewer, we can end up here when queries blanket reject objects that // have failed to load, without distinguishing between nonexistent and // nonvisible objects. return; } $capobj = PhabricatorPolicyCapability::getCapabilityByKey($capability); $rejection = null; if ($capobj) { $rejection = $capobj->describeCapabilityRejection(); $capability_name = $capobj->getCapabilityName(); } else { $capability_name = $capability; } if (!$rejection) { // We couldn't find the capability object, or it doesn't provide a // tailored rejection string. $rejection = pht( 'You do not have the required capability ("%s") to do whatever you '. 'are trying to do.', $capability); } - $more = PhabricatorPolicy::getPolicyExplanation($this->viewer, $policy); + // See T13411. If you receive a policy exception because you can't view + // an object, we also want to avoid disclosing too many details about the + // actual policy (for example, the names of projects in the policy). + + // If you failed a "CAN_VIEW" check, or failed some other check and don't + // have "CAN_VIEW" on the object, we give you an "opaque" explanation. + // Otherwise, we give you a more detailed explanation. + + $view_capability = PhabricatorPolicyCapability::CAN_VIEW; + if ($capability === $view_capability) { + $show_details = false; + } else { + $show_details = self::hasCapability( + $viewer, + $object, + $view_capability); + } + + if ($show_details) { + $more = PhabricatorPolicy::getPolicyExplanation($viewer, $policy); + } else { + $more = PhabricatorPolicy::getOpaquePolicyExplanation($viewer, $policy); + } + $more = (array)$more; $more = array_filter($more); $exceptions = PhabricatorPolicy::getSpecialRules( $object, $this->viewer, $capability, true); $details = array_filter(array_merge($more, $exceptions)); $access_denied = $this->renderAccessDenied($object); $full_message = pht( '[%s] (%s) %s // %s', $access_denied, $capability_name, $rejection, implode(' ', $details)); $exception = id(new PhabricatorPolicyException($full_message)) ->setTitle($access_denied) ->setObjectPHID($object->getPHID()) ->setRejection($rejection) ->setCapability($capability) ->setCapabilityName($capability_name) ->setMoreInfo($details); throw $exception; } private function loadObjectPolicies(array $map) { $viewer = $this->viewer; $viewer_phid = $viewer->getPHID(); $rules = PhabricatorPolicyQuery::getObjectPolicyRules(null); // Make sure we have clean, empty policy rule objects. foreach ($rules as $key => $rule) { $rules[$key] = clone $rule; } $results = array(); foreach ($map as $key => $object_list) { $rule = idx($rules, $key); if (!$rule) { continue; } foreach ($object_list as $object_key => $object) { if (!$rule->canApplyToObject($object)) { unset($object_list[$object_key]); } } $rule->willApplyRules($viewer, array(), $object_list); $results[$key] = $rule; } $this->objectPolicies[$viewer_phid] = $results; } private function loadCustomPolicies(array $map) { $viewer = $this->viewer; $viewer_phid = $viewer->getPHID(); $custom_policies = id(new PhabricatorPolicyQuery()) ->setViewer($viewer) ->withPHIDs(array_keys($map)) ->execute(); $custom_policies = mpull($custom_policies, null, 'getPHID'); $classes = array(); $values = array(); $objects = array(); foreach ($custom_policies as $policy_phid => $policy) { foreach ($policy->getCustomRuleClasses() as $class) { $classes[$class] = $class; $values[$class][] = $policy->getCustomRuleValues($class); foreach (idx($map, $policy_phid, array()) as $object) { $objects[$class][] = $object; } } } foreach ($classes as $class => $ignored) { $rule_object = newv($class, array()); // Filter out any objects which the rule can't apply to. $target_objects = idx($objects, $class, array()); foreach ($target_objects as $key => $target_object) { if (!$rule_object->canApplyToObject($target_object)) { unset($target_objects[$key]); } } $rule_object->willApplyRules( $viewer, array_mergev($values[$class]), $target_objects); $classes[$class] = $rule_object; } foreach ($custom_policies as $policy) { $policy->attachRuleObjects($classes); } if (empty($this->customPolicies[$viewer_phid])) { $this->customPolicies[$viewer_phid] = array(); } $this->customPolicies[$viewer->getPHID()] += $custom_policies; } private function checkObjectPolicy( $policy_phid, PhabricatorPolicyInterface $object) { $viewer = $this->viewer; $viewer_phid = $viewer->getPHID(); $rule = idx($this->objectPolicies[$viewer_phid], $policy_phid); if (!$rule) { return false; } if (!$rule->canApplyToObject($object)) { return false; } return $rule->applyRule($viewer, null, $object); } private function checkCustomPolicy( $policy_phid, PhabricatorPolicyInterface $object) { $viewer = $this->viewer; $viewer_phid = $viewer->getPHID(); $policy = idx($this->customPolicies[$viewer_phid], $policy_phid); if (!$policy) { // Reject, this policy is bogus. return false; } $objects = $policy->getRuleObjects(); $action = null; foreach ($policy->getRules() as $rule) { if (!is_array($rule)) { // Reject, this policy rule is invalid. return false; } $rule_object = idx($objects, idx($rule, 'rule')); if (!$rule_object) { // Reject, this policy has a bogus rule. return false; } if (!$rule_object->canApplyToObject($object)) { // Reject, this policy rule can't be applied to the given object. return false; } // If the user matches this rule, use this action. if ($rule_object->applyRule($viewer, idx($rule, 'value'), $object)) { $action = idx($rule, 'action'); break; } } if ($action === null) { $action = $policy->getDefaultAction(); } if ($action === PhabricatorPolicy::ACTION_ALLOW) { return true; } return false; } private function getObjectPolicy( PhabricatorPolicyInterface $object, $capability) { if ($this->forcedPolicy) { return $this->forcedPolicy; } else { return $object->getPolicy($capability); } } private function renderAccessDenied(PhabricatorPolicyInterface $object) { // NOTE: Not every type of policy object has a real PHID; just load an // empty handle if a real PHID isn't available. $phid = nonempty($object->getPHID(), PhabricatorPHIDConstants::PHID_VOID); $handle = id(new PhabricatorHandleQuery()) ->setViewer($this->viewer) ->withPHIDs(array($phid)) ->executeOne(); $object_name = $handle->getObjectName(); $is_serious = PhabricatorEnv::getEnvConfig('phabricator.serious-business'); if ($is_serious) { $access_denied = pht( 'Access Denied: %s', $object_name); } else { $access_denied = pht( 'You Shall Not Pass: %s', $object_name); } return $access_denied; } private function canViewerSeeObjectsInSpace( PhabricatorUser $viewer, $space_phid) { $spaces = PhabricatorSpacesNamespaceQuery::getAllSpaces(); // If there are no spaces, everything exists in an implicit default space // with no policy controls. This is the default state. if (!$spaces) { if ($space_phid !== null) { return false; } else { return true; } } if ($space_phid === null) { $space = PhabricatorSpacesNamespaceQuery::getDefaultSpace(); } else { $space = idx($spaces, $space_phid); } if (!$space) { return false; } // This may be more involved later, but for now being able to see the // space is equivalent to being able to see everything in it. return self::hasCapability( $viewer, $space, PhabricatorPolicyCapability::CAN_VIEW); } private function rejectObjectFromSpace( PhabricatorPolicyInterface $object, $space_phid) { if (!$this->raisePolicyExceptions) { return; } if ($this->viewer->isOmnipotent()) { return; } $access_denied = $this->renderAccessDenied($object); $rejection = pht( 'This object is in a space you do not have permission to access.'); $full_message = pht('[%s] %s', $access_denied, $rejection); $exception = id(new PhabricatorPolicyException($full_message)) ->setTitle($access_denied) ->setObjectPHID($object->getPHID()) ->setRejection($rejection) ->setCapability(PhabricatorPolicyCapability::CAN_VIEW); throw $exception; } private function applyApplicationChecks(array $objects) { $viewer = $this->viewer; foreach ($objects as $key => $object) { // Don't filter handles: users are allowed to see handles from an // application they can't see even if they can not see objects from // that application. Note that the application policies still apply to // the underlying object, so these will be "Restricted Object" handles. // If we don't let these through, PhabricatorHandleQuery will completely // fail to load results for PHIDs that are part of applications which // the viewer can not see, but a fundamental property of handles is that // we always load something and they can safely be assumed to load. if ($object instanceof PhabricatorObjectHandle) { continue; } $phid = $object->getPHID(); if (!$phid) { continue; } $application_class = $this->getApplicationForPHID($phid); if ($application_class === null) { continue; } $can_see = PhabricatorApplication::isClassInstalledForViewer( $application_class, $viewer); if ($can_see) { continue; } unset($objects[$key]); $application = newv($application_class, array()); $this->rejectObject( $application, $application->getPolicy(PhabricatorPolicyCapability::CAN_VIEW), PhabricatorPolicyCapability::CAN_VIEW); } return $objects; } private function getApplicationForPHID($phid) { static $class_map = array(); $phid_type = phid_get_type($phid); if (!isset($class_map[$phid_type])) { $type_objects = PhabricatorPHIDType::getTypes(array($phid_type)); $type_object = idx($type_objects, $phid_type); if (!$type_object) { $class = false; } else { $class = $type_object->getPHIDTypeApplicationClass(); } $class_map[$phid_type] = $class; } $class = $class_map[$phid_type]; if ($class === false) { return null; } return $class; } } diff --git a/src/applications/policy/storage/PhabricatorPolicy.php b/src/applications/policy/storage/PhabricatorPolicy.php index 82d4f355bc..66a7d9e3be 100644 --- a/src/applications/policy/storage/PhabricatorPolicy.php +++ b/src/applications/policy/storage/PhabricatorPolicy.php @@ -1,494 +1,515 @@ true, self::CONFIG_SERIALIZATION => array( 'rules' => self::SERIALIZATION_JSON, ), self::CONFIG_COLUMN_SCHEMA => array( 'defaultAction' => 'text32', ), self::CONFIG_KEY_SCHEMA => array( 'key_phid' => null, 'phid' => array( 'columns' => array('phid'), 'unique' => true, ), ), ) + parent::getConfiguration(); } public function generatePHID() { return PhabricatorPHID::generateNewPHID( PhabricatorPolicyPHIDTypePolicy::TYPECONST); } public static function newFromPolicyAndHandle( $policy_identifier, PhabricatorObjectHandle $handle = null) { $is_global = PhabricatorPolicyQuery::isGlobalPolicy($policy_identifier); if ($is_global) { return PhabricatorPolicyQuery::getGlobalPolicy($policy_identifier); } $policy = PhabricatorPolicyQuery::getObjectPolicy($policy_identifier); if ($policy) { return $policy; } if (!$handle) { throw new Exception( pht( "Policy identifier is an object PHID ('%s'), but no object handle ". "was provided. A handle must be provided for object policies.", $policy_identifier)); } $handle_phid = $handle->getPHID(); if ($policy_identifier != $handle_phid) { throw new Exception( pht( "Policy identifier is an object PHID ('%s'), but the provided ". "handle has a different PHID ('%s'). The handle must correspond ". "to the policy identifier.", $policy_identifier, $handle_phid)); } $policy = id(new PhabricatorPolicy()) ->setPHID($policy_identifier) ->setHref($handle->getURI()); $phid_type = phid_get_type($policy_identifier); switch ($phid_type) { case PhabricatorProjectProjectPHIDType::TYPECONST: $policy ->setType(PhabricatorPolicyType::TYPE_PROJECT) ->setName($handle->getName()) ->setIcon($handle->getIcon()); break; case PhabricatorPeopleUserPHIDType::TYPECONST: $policy->setType(PhabricatorPolicyType::TYPE_USER); $policy->setName($handle->getFullName()); break; case PhabricatorPolicyPHIDTypePolicy::TYPECONST: // TODO: This creates a weird handle-based version of a rule policy. // It behaves correctly, but can't be applied since it doesn't have // any rules. It is used to render transactions, and might need some // cleanup. break; default: $policy->setType(PhabricatorPolicyType::TYPE_MASKED); $policy->setName($handle->getFullName()); break; } $policy->makeEphemeral(); return $policy; } public function setType($type) { $this->type = $type; return $this; } public function getType() { if (!$this->type) { return PhabricatorPolicyType::TYPE_CUSTOM; } return $this->type; } public function setName($name) { $this->name = $name; return $this; } public function getName() { if (!$this->name) { return pht('Custom Policy'); } return $this->name; } public function setShortName($short_name) { $this->shortName = $short_name; return $this; } public function getShortName() { if ($this->shortName) { return $this->shortName; } return $this->getName(); } public function setHref($href) { $this->href = $href; return $this; } public function getHref() { return $this->href; } public function setWorkflow($workflow) { $this->workflow = $workflow; return $this; } public function getWorkflow() { return $this->workflow; } public function setIcon($icon) { $this->icon = $icon; return $this; } public function getIcon() { if ($this->icon) { return $this->icon; } switch ($this->getType()) { case PhabricatorPolicyType::TYPE_GLOBAL: static $map = array( PhabricatorPolicies::POLICY_PUBLIC => 'fa-globe', PhabricatorPolicies::POLICY_USER => 'fa-users', PhabricatorPolicies::POLICY_ADMIN => 'fa-eye', PhabricatorPolicies::POLICY_NOONE => 'fa-ban', ); return idx($map, $this->getPHID(), 'fa-question-circle'); case PhabricatorPolicyType::TYPE_USER: return 'fa-user'; case PhabricatorPolicyType::TYPE_PROJECT: return 'fa-briefcase'; case PhabricatorPolicyType::TYPE_CUSTOM: case PhabricatorPolicyType::TYPE_MASKED: return 'fa-certificate'; default: return 'fa-question-circle'; } } public function getSortKey() { return sprintf( '%02d%s', PhabricatorPolicyType::getPolicyTypeOrder($this->getType()), $this->getSortName()); } private function getSortName() { if ($this->getType() == PhabricatorPolicyType::TYPE_GLOBAL) { static $map = array( PhabricatorPolicies::POLICY_PUBLIC => 0, PhabricatorPolicies::POLICY_USER => 1, PhabricatorPolicies::POLICY_ADMIN => 2, PhabricatorPolicies::POLICY_NOONE => 3, ); return idx($map, $this->getPHID()); } return $this->getName(); } public static function getPolicyExplanation( PhabricatorUser $viewer, $policy) { + $type = phid_get_type($policy); + if ($type === PhabricatorProjectProjectPHIDType::TYPECONST) { + $handle = id(new PhabricatorHandleQuery()) + ->setViewer($viewer) + ->withPHIDs(array($policy)) + ->executeOne(); + + return pht( + 'Members of the project "%s" can take this action.', + $handle->getFullName()); + } + + return self::getOpaquePolicyExplanation($viewer, $policy); + } + + public static function getOpaquePolicyExplanation( + PhabricatorUser $viewer, + $policy) { + $rule = PhabricatorPolicyQuery::getObjectPolicyRule($policy); if ($rule) { return $rule->getPolicyExplanation(); } switch ($policy) { case PhabricatorPolicies::POLICY_PUBLIC: return pht( 'This object is public and can be viewed by anyone, even if they '. 'do not have a Phabricator account.'); case PhabricatorPolicies::POLICY_USER: return pht('Logged in users can take this action.'); case PhabricatorPolicies::POLICY_ADMIN: return pht('Administrators can take this action.'); case PhabricatorPolicies::POLICY_NOONE: return pht('By default, no one can take this action.'); default: $handle = id(new PhabricatorHandleQuery()) ->setViewer($viewer) ->withPHIDs(array($policy)) ->executeOne(); $type = phid_get_type($policy); if ($type == PhabricatorProjectProjectPHIDType::TYPECONST) { return pht( - 'Members of the project "%s" can take this action.', + 'Members of a particular project can take this action. (You '. + 'can not see this object, so the name of this project is '. + 'restricted.)', $handle->getFullName()); } else if ($type == PhabricatorPeopleUserPHIDType::TYPECONST) { return pht( '%s can take this action.', $handle->getFullName()); } else if ($type == PhabricatorPolicyPHIDTypePolicy::TYPECONST) { return pht( 'This object has a custom policy controlling who can take this '. 'action.'); } else { return pht( 'This object has an unknown or invalid policy setting ("%s").', $policy); } } } public function getFullName() { switch ($this->getType()) { case PhabricatorPolicyType::TYPE_PROJECT: return pht('Members of Project: %s', $this->getName()); case PhabricatorPolicyType::TYPE_MASKED: return pht('Other: %s', $this->getName()); case PhabricatorPolicyType::TYPE_USER: return pht('Only User: %s', $this->getName()); default: return $this->getName(); } } public function newRef(PhabricatorUser $viewer) { return id(new PhabricatorPolicyRef()) ->setViewer($viewer) ->setPolicy($this); } public function isProjectPolicy() { return ($this->getType() === PhabricatorPolicyType::TYPE_PROJECT); } public function isCustomPolicy() { return ($this->getType() === PhabricatorPolicyType::TYPE_CUSTOM); } public function isMaskedPolicy() { return ($this->getType() === PhabricatorPolicyType::TYPE_MASKED); } /** * Return a list of custom rule classes (concrete subclasses of * @{class:PhabricatorPolicyRule}) this policy uses. * * @return list List of class names. */ public function getCustomRuleClasses() { $classes = array(); foreach ($this->getRules() as $rule) { if (!is_array($rule)) { // This rule is invalid. We'll reject it later, but don't need to // extract anything from it for now. continue; } $class = idx($rule, 'rule'); try { if (class_exists($class)) { $classes[$class] = $class; } } catch (Exception $ex) { continue; } } return array_keys($classes); } /** * Return a list of all values used by a given rule class to implement this * policy. This is used to bulk load data (like project memberships) in order * to apply policy filters efficiently. * * @param string Policy rule classname. * @return list List of values used in this policy. */ public function getCustomRuleValues($rule_class) { $values = array(); foreach ($this->getRules() as $rule) { if ($rule['rule'] == $rule_class) { $values[] = $rule['value']; } } return $values; } public function attachRuleObjects(array $objects) { $this->ruleObjects = $objects; return $this; } public function getRuleObjects() { return $this->assertAttached($this->ruleObjects); } /** * Return `true` if this policy is stronger (more restrictive) than some * other policy. * * Because policies are complicated, determining which policies are * "stronger" is not trivial. This method uses a very coarse working * definition of policy strength which is cheap to compute, unambiguous, * and intuitive in the common cases. * * This method returns `true` if the //class// of this policy is stronger * than the other policy, even if the policies are (or might be) the same in * practice. For example, "Members of Project X" is considered a stronger * policy than "All Users", even though "Project X" might (in some rare * cases) contain every user. * * Generally, the ordering here is: * * - Public * - All Users * - (Everything Else) * - No One * * In the "everything else" bucket, we can't make any broad claims about * which policy is stronger (and we especially can't make those claims * cheaply). * * Even if we fully evaluated each policy, the two policies might be * "Members of X" and "Members of Y", each of which permits access to some * set of unique users. In this case, neither is strictly stronger than * the other. * * @param PhabricatorPolicy Other policy. * @return bool `true` if this policy is more restrictive than the other * policy. */ public function isStrongerThan(PhabricatorPolicy $other) { $this_policy = $this->getPHID(); $other_policy = $other->getPHID(); $strengths = array( PhabricatorPolicies::POLICY_PUBLIC => -2, PhabricatorPolicies::POLICY_USER => -1, // (Default policies have strength 0.) PhabricatorPolicies::POLICY_NOONE => 1, ); $this_strength = idx($strengths, $this->getPHID(), 0); $other_strength = idx($strengths, $other->getPHID(), 0); return ($this_strength > $other_strength); } public function isValidPolicyForEdit() { return $this->getType() !== PhabricatorPolicyType::TYPE_MASKED; } public static function getSpecialRules( PhabricatorPolicyInterface $object, PhabricatorUser $viewer, $capability, $active_only) { $exceptions = array(); if ($object instanceof PhabricatorPolicyCodexInterface) { $codex = id(PhabricatorPolicyCodex::newFromObject($object, $viewer)) ->setCapability($capability); $rules = $codex->getPolicySpecialRuleDescriptions(); foreach ($rules as $rule) { $is_active = $rule->getIsActive(); if ($is_active) { $rule_capabilities = $rule->getCapabilities(); if ($rule_capabilities) { if (!in_array($capability, $rule_capabilities)) { $is_active = false; } } } if (!$is_active && $active_only) { continue; } $description = $rule->getDescription(); if (!$is_active) { $description = phutil_tag( 'span', array( 'class' => 'phui-policy-section-view-inactive-rule', ), $description); } $exceptions[] = $description; } } if (!$exceptions) { if (method_exists($object, 'describeAutomaticCapability')) { $exceptions = (array)$object->describeAutomaticCapability($capability); $exceptions = array_filter($exceptions); } } return $exceptions; } /* -( PhabricatorPolicyInterface )----------------------------------------- */ public function getCapabilities() { return array( PhabricatorPolicyCapability::CAN_VIEW, ); } public function getPolicy($capability) { // NOTE: We implement policies only so we can comply with the interface. // The actual query skips them, as enforcing policies on policies seems // perilous and isn't currently required by the application. return PhabricatorPolicies::POLICY_PUBLIC; } public function hasAutomaticCapability($capability, PhabricatorUser $viewer) { return false; } /* -( PhabricatorDestructibleInterface )----------------------------------- */ public function destroyObjectPermanently( PhabricatorDestructionEngine $engine) { $this->delete(); } }