This isn't blocking anything, but is parallelizable.
On Phacility instances, we need to prevent users from making some classes of changes to the instance. Some of this we can already lock, but some if it we can't. I //think// the cleanest way forward is to introduce options:
- `lock.auth` Prevents any authentication provider from being added, edited, or removed. We need this because we don't want users on instances unless they also have a `phacility.com` account, so we can send them to the correct instance when they log in to the administrative UI by accident. Instances will be configured with only an OAuth2 provider pointed at `admin.phacility.com`, and this should be immutable.
- `lock.users` Prevent creation or import of users via admin tools. Administrators need to use options on `admin.phacility.com` to do this.
I actually think that might be all we need.
These options should be low-level (e.g., in TransactionEditors if possible) and there doesn't need to be a way to disable them -- the scripts which are synchronizing this stuff can use `PhabricatorScopedEnv` to bypass the options.
Another approach, which might be cleaner, would be:
- Add a "Can Manage Providers" application-level policy to Auth.
- Add a "Can Create Users" application-level policy to People.
- Add a `policy.locked` (or similar) config option to let us lock specific application policies so they can not be edited.
That would be more flexible and maybe better? Not sure.