Add Drydock default edit/view policies and a "Create Blueprint" policy

Summary: Ref T2015. Allow configuration of default edit/view policies for blueprints. Add create policy. Remove administrative exception in policies.

Test Plan: Configured these settings and created (or, with a restrictive create setting, tried to create) blueprints.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T2015

Differential Revision: https://secure.phabricator.com/D7921

Author: epriestley

src/__phutil_library_map__.php

@@ -653,6 +653,9 @@
     'DrydockBlueprintScopeGuard' => 'applications/drydock/util/DrydockBlueprintScopeGuard.php',
     'DrydockBlueprintSearchEngine' => 'applications/drydock/query/DrydockBlueprintSearchEngine.php',
     'DrydockBlueprintViewController' => 'applications/drydock/controller/DrydockBlueprintViewController.php',
+    'DrydockCapabilityCreateBlueprints' => 'applications/drydock/capability/DrydockCapabilityCreateBlueprints.php',
+    'DrydockCapabilityDefaultEdit' => 'applications/drydock/capability/DrydockCapabilityDefaultEdit.php',
+    'DrydockCapabilityDefaultView' => 'applications/drydock/capability/DrydockCapabilityDefaultView.php',
     'DrydockCommandInterface' => 'applications/drydock/interface/command/DrydockCommandInterface.php',
     'DrydockConsoleController' => 'applications/drydock/controller/DrydockConsoleController.php',
     'DrydockConstants' => 'applications/drydock/constants/DrydockConstants.php',
@@ -3080,6 +3083,9 @@
     'DrydockBlueprintQuery' => 'DrydockQuery',
     'DrydockBlueprintSearchEngine' => 'PhabricatorApplicationSearchEngine',
     'DrydockBlueprintViewController' => 'DrydockBlueprintController',
+    'DrydockCapabilityCreateBlueprints' => 'PhabricatorPolicyCapability',
+    'DrydockCapabilityDefaultEdit' => 'PhabricatorPolicyCapability',
+    'DrydockCapabilityDefaultView' => 'PhabricatorPolicyCapability',
     'DrydockCommandInterface' => 'DrydockInterface',
     'DrydockConsoleController' => 'DrydockController',
     'DrydockController' => 'PhabricatorController',

src/applications/drydock/application/PhabricatorApplicationDrydock.php

@@ -7,7 +7,7 @@ public function getBaseURI() {
   }
 
   public function getShortDescription() {
-    return 'Allocate Software Resources';
+    return pht('Allocate Software Resources');
   }
 
   public function getIconName() {
@@ -57,4 +57,18 @@ public function getRoutes() {
     );
   }
 
+  protected function getCustomCapabilities() {
+    return array(
+      DrydockCapabilityDefaultView::CAPABILITY => array(
+      ),
+      DrydockCapabilityDefaultEdit::CAPABILITY => array(
+        'default' => PhabricatorPolicies::POLICY_ADMIN,
+      ),
+      DrydockCapabilityCreateBlueprints::CAPABILITY => array(
+        'default' => PhabricatorPolicies::POLICY_ADMIN,
+      ),
+    );
+  }
+
+
 }

src/applications/drydock/capability/DrydockCapabilityCreateBlueprints.php

@@ -0,0 +1,20 @@
+<?php
+
+final class DrydockCapabilityCreateBlueprints
+  extends PhabricatorPolicyCapability {
+
+  const CAPABILITY = 'drydock.blueprint.create';
+
+  public function getCapabilityKey() {
+    return self::CAPABILITY;
+  }
+
+  public function getCapabilityName() {
+    return pht('Can Create Blueprints');
+  }
+
+  public function describeCapabilityRejection() {
+    return pht('You do not have permission to create Drydock blueprints.');
+  }
+
+}

src/applications/drydock/capability/DrydockCapabilityDefaultEdit.php

@@ -0,0 +1,16 @@
+<?php
+
+final class DrydockCapabilityDefaultEdit
+  extends PhabricatorPolicyCapability {
+
+  const CAPABILITY = 'drydock.default.edit';
+
+  public function getCapabilityKey() {
+    return self::CAPABILITY;
+  }
+
+  public function getCapabilityName() {
+    return pht('Default Blueprint Edit Policy');
+  }
+
+}

src/applications/drydock/capability/DrydockCapabilityDefaultView.php

@@ -0,0 +1,16 @@
+<?php
+
+final class DrydockCapabilityDefaultView
+  extends PhabricatorPolicyCapability {
+
+  const CAPABILITY = 'drydock.default.view';
+
+  public function getCapabilityKey() {
+    return self::CAPABILITY;
+  }
+
+  public function getCapabilityName() {
+    return pht('Default Blueprint View Policy');
+  }
+
+}

src/applications/drydock/controller/DrydockBlueprintCreateController.php

@@ -7,6 +7,9 @@ public function processRequest() {
     $request = $this->getRequest();
     $viewer = $request->getUser();
 
+    $this->requireApplicationCapability(
+      DrydockCapabilityCreateBlueprints::CAPABILITY);
+
     $implementations =
       DrydockBlueprintImplementation::getAllBlueprintImplementations();
 

src/applications/drydock/controller/DrydockBlueprintEditController.php

@@ -29,6 +29,9 @@ public function processRequest() {
       $impl = $blueprint->getImplementation();
       $cancel_uri = $this->getApplicationURI('blueprint/'.$this->id.'/');
     } else {
+      $this->requireApplicationCapability(
+        DrydockCapabilityCreateBlueprints::CAPABILITY);
+
       $class = $request->getStr('class');
 
       $impl = DrydockBlueprintImplementation::getNamedImplementation($class);

src/applications/drydock/controller/DrydockBlueprintListController.php

@@ -50,11 +50,16 @@ public function renderResultsList(
   }
 
   public function buildApplicationCrumbs() {
+    $can_create = $this->hasApplicationCapability(
+      DrydockCapabilityCreateBlueprints::CAPABILITY);
+
     $crumbs = parent::buildApplicationCrumbs();
     $crumbs->addAction(
       id(new PHUIListItemView())
         ->setName(pht('New Blueprint'))
         ->setHref($this->getApplicationURI('/blueprint/create/'))
+        ->setDisabled(!$can_create)
+        ->setWorkflow(!$can_create)
         ->setIcon('create'));
     return $crumbs;
   }

src/applications/drydock/storage/DrydockBlueprint.php

@@ -12,7 +12,19 @@ final class DrydockBlueprint extends DrydockDAO
   private $implementation = self::ATTACHABLE;
 
   public static function initializeNewBlueprint(PhabricatorUser $actor) {
+    $app = id(new PhabricatorApplicationQuery())
+      ->setViewer($actor)
+      ->withClasses(array('PhabricatorApplicationDrydock'))
+      ->executeOne();
+
+    $view_policy = $app->getPolicy(
+      DrydockCapabilityDefaultView::CAPABILITY);
+    $edit_policy = $app->getPolicy(
+      DrydockCapabilityDefaultEdit::CAPABILITY);
+
     return id(new DrydockBlueprint())
+      ->setViewPolicy($view_policy)
+      ->setEditPolicy($edit_policy)
       ->setBlueprintName('');
   }
 
@@ -67,19 +79,10 @@ public function getPolicy($capability) {
   }
 
   public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {
-    switch ($capability) {
-      case PhabricatorPolicyCapability::CAN_VIEW:
-      case PhabricatorPolicyCapability::CAN_EDIT:
-        return $viewer->getIsAdmin();
-    }
+    return false;
   }
 
   public function describeAutomaticCapability($capability) {
-    switch ($capability) {
-      case PhabricatorPolicyCapability::CAN_VIEW:
-        return pht('Administrators can always view blueprints.');
-      case PhabricatorPolicyCapability::CAN_EDIT:
-        return pht('Administrators can always edit blueprints.');
-    }
+    return null;
   }
 }