Bug 1402494 - BMO Integration User is a full administrative user on Phabricator

4 files changed, 39 insertions, 18 deletions

diff --git a/extensions/PhabBugz/bin/update_project_members.pl b/extensions/PhabBugz/bin/update_project_members.pl
index 2a305da3d..fe62170a6 100755
--- a/extensions/PhabBugz/bin/update_project_members.pl
+++ b/extensions/PhabBugz/bin/update_project_members.pl
@@ -59,9 +59,15 @@ foreach my $group (@$sync_groups) {
         name => $phab_project_name
     });
     if (!$project) {
+        my $secure_revision = Bugzilla::Extension::PhabBugz::Project->new_from_query({
+            name => 'secure-revision'
+        });
         $project = Bugzilla::Extension::PhabBugz::Project->create({
             name        => $phab_project_name,
-            description => 'BMO Security Group for ' . $group->name
+            description => 'BMO Security Group for ' . $group->name,
+            view_policy => $secure_revision->phid,
+            edit_policy => $secure_revision->phid,
+            join_policy => $secure_revision->phid
         });
     }
 
diff --git a/extensions/PhabBugz/lib/Policy.pm b/extensions/PhabBugz/lib/Policy.pm
index 23f04b354..8162ac52c 100644
--- a/extensions/PhabBugz/lib/Policy.pm
+++ b/extensions/PhabBugz/lib/Policy.pm
@@ -117,7 +117,10 @@ sub create {
         };
     }
     else {
-        push @{ $data->{policy} }, { action => 'allow', value  => 'admin' };
+        my $secure_revision = Bugzilla::Extension::PhabBugz::Project->new_from_query({
+            name => 'secure-revision'
+        });
+        push @{ $data->{policy} }, { action => 'allow', value  => $secure_revision->phid };
     }
 
     my $result = request('policy.create', $data);
diff --git a/extensions/PhabBugz/lib/Project.pm b/extensions/PhabBugz/lib/Project.pm
index fd09cbecf..b0babc58b 100644
--- a/extensions/PhabBugz/lib/Project.pm
+++ b/extensions/PhabBugz/lib/Project.pm
@@ -93,9 +93,9 @@ sub BUILDARGS {
 #         "dateCreated": 1500403964,
 #         "dateModified": 1505248862,
 #         "policy": {
-#           "view": "admin",
-#           "edit": "admin",
-#           "join": "admin"
+#           "view": "secure-revision",
+#           "edit": "secure-revision",
+#           "join": "secure-revision"
 #         },
 #         "description": "BMO Security Group for core-security"
 #       },
@@ -138,9 +138,9 @@ sub create {
     $name || ThrowCodeError( 'param_required', { param => 'name' } );
 
     my $description = $params->{description} || 'Need description';
-    my $view_policy = $params->{view_policy} || 'admin';
-    my $edit_policy = $params->{edit_policy} || 'admin';
-    my $join_policy = $params->{join_policy} || 'admin';
+    my $view_policy = $params->{view_policy};
+    my $edit_policy = $params->{edit_policy};
+    my $join_policy = $params->{join_policy};
 
     my $data = {
         transactions => [
diff --git a/extensions/PhabBugz/lib/Util.pm b/extensions/PhabBugz/lib/Util.pm
index 5658ac9d8..6c51df98c 100644
--- a/extensions/PhabBugz/lib/Util.pm
+++ b/extensions/PhabBugz/lib/Util.pm
@@ -167,10 +167,13 @@ sub create_private_revision_policy {
         );
     }
     else {
+        my $secure_revision = Bugzilla::Extension::PhabBugz::Project->new_from_query({
+            name => 'secure-revision'
+        });
         push(@{ $data->{policy} },
             {
                 action => 'allow',
-                value  => 'admin',
+                value  => $secure_revision->phid,
             }
         );
     }
@@ -198,15 +201,20 @@ sub make_revision_public {
 
 sub make_revision_private {
     my ($revision_phid) = @_;
+
+    my $secure_revision = Bugzilla::Extension::PhabBugz::Project->new_from_query({
+        name => 'secure-revision'
+    });
+
     return request('differential.revision.edit', {
         transactions => [
             {
                 type  => "view",
-                value => "admin"
+                value => $secure_revision->phid
             },
             {
                 type  => "edit",
-                value => "admin"
+                value => $secure_revision->phid
             }
         ],
         objectIdentifier => $revision_phid
@@ -298,15 +306,19 @@ sub get_project_phid {
 sub create_project {
     my ($project, $description, $members) = @_;
 
+    my $secure_revision = Bugzilla::Extension::PhabBugz::Project->new_from_query({
+        name => 'secure-revision'
+    });
+
     my $data = {
         transactions => [
-            { type => 'name',  value => $project           },
-            { type => 'description', value => $description },
-            { type => 'edit',  value => 'admin'            },
-            { type => 'join',  value => 'admin'            },
-            { type => 'view',  value => 'admin'            },
-            { type => 'icon',  value => 'group'            },
-            { type => 'color', value => 'red'              }
+            { type => 'name',  value => $project               },
+            { type => 'description', value => $description     },
+            { type => 'edit',  value => $secure_revision->phid }.
+            { type => 'join',  value => $secure_revision->phid },
+            { type => 'view',  value => $secure_revision->phid },
+            { type => 'icon',  value => 'group'                },
+            { type => 'color', value => 'red'                  }
         ]
     };