Homec4science

Tighten up some policy interactions in Herald

Authored by epriestley <git@epriestley.com> on Oct 5 2013, 00:15.

Description

Tighten up some policy interactions in Herald

Summary:
Ref T603. Herald is a bit of a policy minefield right now, although I think pretty much everything has straightforward solutions. This change:

  • Introduces "create" and "create global" permisions for Herald.
    • Maybe "create" is sort of redundant since there's no reason to have access to the application if not creating rules, but I think this won't be the case for most applications, so having an explicit "create" permission is more consistent.
  • Add some application policy helper functions.
  • Improve rendering a bit -- I think we probably need to build some PolicyType class, similar to PHIDType, to really get this right.
  • Don't let users who can't use application X create Herald rules for application X.
  • Remove Maniphest/Pholio rules when those applications are not installed.

Test Plan:

  • Restricted access to Maniphest and uninstalled Pholio.
  • Verified Pholio rules no longer appear for anyone.
  • Verified Maniphest ruls no longer appear for restricted users.
  • Verified users without CREATE_GLOBAL can not create global ruls.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7219

Details

Committed
epriestley <git@epriestley.com>Oct 5 2013, 00:15
Pushed
aubortJan 31 2017, 17:16
Parents
rPHa600ab77316f: Prevent administrators from locking themselves out of applications
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHc8127edfe9a8: Tighten up some policy interactions in Herald (authored by epriestley <git@epriestley.com>).Oct 5 2013, 00:15