-
epriestley authoredSummary: Ref T603. Herald is a bit of a policy minefield right now, although I think pretty much everything has straightforward solutions. This change: - Introduces "create" and "create global" permisions for Herald. - Maybe "create" is sort of redundant since there's no reason to have access to the application if not creating rules, but I think this won't be the case for most applications, so having an explicit "create" permission is more consistent. - Add some application policy helper functions. - Improve rendering a bit -- I think we probably need to build some `PolicyType` class, similar to `PHIDType`, to really get this right. - Don't let users who can't use application X create Herald rules for application X. - Remove Maniphest/Pholio rules when those applications are not installed. Test Plan: - Restricted access to Maniphest and uninstalled Pholio. - Verified Pholio rules no longer appear for anyone. - Verified Maniphest ruls no longer appear for restricted users. - Verified users without CREATE_GLOBAL can not create global ruls. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T603 Differential Revision: https://secure.phabricator.com/D7219c8127edf