Merge branch 'update-2022-15'

* update-2022-15:
  Improve some PHP 8.1 behavior in "bin/auth recover"
  In Git, always "sudo" to the daemon user if a daemon user is configured
  Improve some UI/language for Phame posts when viewer doesn't have CAN_INTERACT
  Give Phame blog posts configurable interact policies, with a default policy of "Same as Blog"
  Remove unused "MARKUP_FIELD_SUMMARY" for Phame posts
  Fix a PHP 8.1 unit test failure in Projects
  Give Phame blogs mutable interact policies
  Fix double-bordered breadcrumbs in Phame blogs
  Remove ancient Remarkup constants from Phame and Maniphest
  Make Phame blog policies non-nullable

Author: dklawren

resources/sql/autopatches/20220401.phameinteract.01.sql

@@ -0,0 +1,5 @@
+UPDATE {$NAMESPACE}_phame.phame_blog
+  SET editPolicy = 'admin' WHERE editPolicy IS NULL;
+
+ALTER TABLE {$NAMESPACE}_phame.phame_blog
+  CHANGE editPolicy editPolicy VARBINARY(64) NOT NULL;

resources/sql/autopatches/20220401.phameinteract.02.sql

@@ -0,0 +1,5 @@
+UPDATE {$NAMESPACE}_phame.phame_blog
+  SET viewPolicy = 'admin' WHERE viewPolicy IS NULL;
+
+ALTER TABLE {$NAMESPACE}_phame.phame_blog
+  CHANGE viewPolicy viewPolicy VARBINARY(64) NOT NULL;

resources/sql/autopatches/20220401.phameinteract.03.sql

@@ -0,0 +1,6 @@
+ALTER TABLE {$NAMESPACE}_phame.phame_blog
+  ADD interactPolicy VARBINARY(64) NOT NULL;
+
+UPDATE {$NAMESPACE}_phame.phame_blog
+  SET interactPolicy = 'users'
+  WHERE interactPolicy = '';

resources/sql/autopatches/20220401.phameinteract.04.postinteract.sql

@@ -0,0 +1,6 @@
+ALTER TABLE {$NAMESPACE}_phame.phame_post
+  ADD interactPolicy VARBINARY(64) NOT NULL;
+
+UPDATE {$NAMESPACE}_phame.phame_post
+  SET interactPolicy = 'obj.phame.blog'
+  WHERE interactPolicy = '';

src/__phutil_library_map__.php

@@ -5277,6 +5277,7 @@
     'PhameDescriptionView' => 'applications/phame/view/PhameDescriptionView.php',
     'PhameDraftListView' => 'applications/phame/view/PhameDraftListView.php',
     'PhameHomeController' => 'applications/phame/controller/PhameHomeController.php',
+    'PhameInheritBlogPolicyRule' => 'applications/phame/policyrule/PhameInheritBlogPolicyRule.php',
     'PhameLiveController' => 'applications/phame/controller/PhameLiveController.php',
     'PhameNextPostView' => 'applications/phame/view/PhameNextPostView.php',
     'PhamePost' => 'applications/phame/storage/PhamePost.php',
@@ -5287,6 +5288,7 @@
     'PhamePostEditConduitAPIMethod' => 'applications/phame/conduit/PhamePostEditConduitAPIMethod.php',
     'PhamePostEditController' => 'applications/phame/controller/post/PhamePostEditController.php',
     'PhamePostEditEngine' => 'applications/phame/editor/PhamePostEditEngine.php',
+    'PhamePostEditEngineLock' => 'applications/phame/editor/PhamePostEditEngineLock.php',
     'PhamePostEditor' => 'applications/phame/editor/PhamePostEditor.php',
     'PhamePostFerretEngine' => 'applications/phame/search/PhamePostFerretEngine.php',
     'PhamePostFulltextEngine' => 'applications/phame/search/PhamePostFulltextEngine.php',
@@ -12167,6 +12169,7 @@
     'PhameDescriptionView' => 'AphrontTagView',
     'PhameDraftListView' => 'AphrontTagView',
     'PhameHomeController' => 'PhamePostController',
+    'PhameInheritBlogPolicyRule' => 'PhabricatorPolicyRule',
     'PhameLiveController' => 'PhameController',
     'PhameNextPostView' => 'AphrontTagView',
     'PhamePost' => array(
@@ -12180,6 +12183,7 @@
       'PhabricatorDestructibleInterface',
       'PhabricatorTokenReceiverInterface',
       'PhabricatorConduitResultInterface',
+      'PhabricatorEditEngineLockableInterface',
       'PhabricatorFulltextInterface',
       'PhabricatorFerretInterface',
     ),
@@ -12190,6 +12194,7 @@
     'PhamePostEditConduitAPIMethod' => 'PhabricatorEditEngineAPIMethod',
     'PhamePostEditController' => 'PhamePostController',
     'PhamePostEditEngine' => 'PhabricatorEditEngine',
+    'PhamePostEditEngineLock' => 'PhabricatorEditEngineLock',
     'PhamePostEditor' => 'PhabricatorApplicationTransactionEditor',
     'PhamePostFerretEngine' => 'PhabricatorFerretEngine',
     'PhamePostFulltextEngine' => 'PhabricatorFulltextEngine',

src/applications/auth/management/PhabricatorAuthManagementRevokeWorkflow.php

@@ -60,7 +60,7 @@ public function execute(PhutilArgumentParser $args) {
 
     $type = $args->getArg('type');
     $is_everything = $args->getArg('everything');
-    if (!strlen($type) && !$is_everything) {
+    if ($type === null && !$is_everything) {
       if ($is_list) {
         // By default, "bin/revoke --list" implies "--everything".
         $types = $all_types;
@@ -94,7 +94,7 @@ public function execute(PhutilArgumentParser $args) {
     $from = $args->getArg('from');
 
     if ($is_list) {
-      if (strlen($from) || $is_everywhere) {
+      if ($from !== null || $is_everywhere) {
         throw new PhutilArgumentUsageException(
           pht(
             'You can not "--list" and revoke credentials (with "--from" or '.

src/applications/diffusion/protocol/DiffusionCommandEngine.php

@@ -117,12 +117,16 @@ public function getSudoAsDaemon() {
     return $this->sudoAsDaemon;
   }
 
+  protected function shouldAlwaysSudo() {
+    return false;
+  }
+
   public function newFuture() {
     $argv = $this->newCommandArgv();
     $env = $this->newCommandEnvironment();
     $is_passthru = $this->getPassthru();
 
-    if ($this->getSudoAsDaemon()) {
+    if ($this->getSudoAsDaemon() || $this->shouldAlwaysSudo()) {
       $command = call_user_func_array('csprintf', $argv);
       $command = PhabricatorDaemon::sudoCommandAsDaemonUser($command);
       $argv = array('%C', $command);

src/applications/diffusion/protocol/DiffusionGitCommandEngine.php

@@ -13,6 +13,20 @@ protected function newFormattedCommand($pattern, array $argv) {
     return array($pattern, $argv);
   }
 
+  protected function shouldAlwaysSudo() {
+
+    // See T13673. In Git, always try to use "sudo" to execute commands as the
+    // daemon user (if such a user is configured), because Git 2.35.2 and newer
+    // (and some older versions of Git with backported security patches) refuse
+    // to execute if the top level repository directory is not owned by the
+    // current user.
+
+    // Previously, we used "sudo" only when performing writes to the
+    // repository directory.
+
+    return true;
+  }
+
   protected function newCustomEnvironment() {
     $env = array();
 

src/applications/herald/storage/transcript/HeraldTranscript.php

@@ -66,6 +66,10 @@ public static function saveXHeraldRulesHeader($phid, $header) {
   }
 
   private static function combineXHeraldRulesHeaders($u, $v) {
+    if ($u === null) {
+      return $v;
+    }
+
     $u = preg_split('/[, ]+/', $u);
     $v = preg_split('/[, ]+/', $v);
 

src/applications/maniphest/storage/ManiphestTask.php

@@ -24,8 +24,6 @@ final class ManiphestTask extends ManiphestDAO
     PhabricatorPolicyCodexInterface,
     PhabricatorUnlockableInterface {
 
-  const MARKUP_FIELD_DESCRIPTION = 'markup:desc';
-
   protected $authorPHID;
   protected $ownerPHID;
 

src/applications/phame/controller/blog/PhameBlogManageController.php

@@ -143,11 +143,6 @@ private function buildPropertyView(PhameBlog $blog) {
         ),
         $feed_uri));
 
-    $engine = id(new PhabricatorMarkupEngine())
-      ->setViewer($viewer)
-      ->addObject($blog, PhameBlog::MARKUP_FIELD_DESCRIPTION)
-      ->process();
-
     $description = $blog->getDescription();
     if (strlen($description)) {
       $description = new PHUIRemarkupView($viewer, $description);

src/applications/phame/controller/blog/PhameBlogViewController.php

@@ -103,7 +103,8 @@ public function handleRequest(AphrontRequest $request) {
       ->setDescription($description)
       ->setImage($blog->getProfileImageURI());
 
-    $crumbs = $this->buildApplicationCrumbs();
+    $crumbs = $this->buildApplicationCrumbs()
+      ->setBorder(false);
 
     $page = $this->newPage()
       ->setTitle($blog->getName())

src/applications/phame/editor/PhameBlogEditor.php

@@ -21,8 +21,10 @@ public function getCreateObjectTitleForFeed($author, $object) {
 
   public function getTransactionTypes() {
     $types = parent::getTransactionTypes();
+
     $types[] = PhabricatorTransactions::TYPE_VIEW_POLICY;
     $types[] = PhabricatorTransactions::TYPE_EDIT_POLICY;
+    $types[] = PhabricatorTransactions::TYPE_INTERACT_POLICY;
 
     return $types;
   }

src/applications/phame/editor/PhamePostEditEngineLock.php

@@ -0,0 +1,29 @@
+<?php
+
+final class PhamePostEditEngineLock
+  extends PhabricatorEditEngineLock {
+
+  public function willPromptUserForLockOverrideWithDialog(
+    AphrontDialogView $dialog) {
+
+    return $dialog
+      ->setTitle(pht('Edit Locked Post'))
+      ->appendParagraph(
+          pht('Comments are disabled for this post. Edit it anyway?'))
+      ->addSubmitButton(pht('Edit Post'));
+  }
+
+  public function willBlockUserInteractionWithDialog(
+    AphrontDialogView $dialog) {
+
+    return $dialog
+      ->setTitle(pht('Post Locked'))
+      ->appendParagraph(
+        pht('You can not interact with this post because it is locked.'));
+  }
+
+  public function getLockedObjectDisplayText() {
+    return pht('Comments have been disabled for this post.');
+  }
+
+}

src/applications/phame/editor/PhamePostEditor.php

@@ -21,6 +21,8 @@ public function getCreateObjectTitleForFeed($author, $object) {
 
   public function getTransactionTypes() {
     $types = parent::getTransactionTypes();
+
+    $types[] = PhabricatorTransactions::TYPE_INTERACT_POLICY;
     $types[] = PhabricatorTransactions::TYPE_COMMENT;
 
     return $types;

src/applications/phame/policyrule/PhameInheritBlogPolicyRule.php

@@ -0,0 +1,51 @@
+<?php
+
+final class PhameInheritBlogPolicyRule
+  extends PhabricatorPolicyRule {
+
+  public function getObjectPolicyKey() {
+    return 'phame.blog';
+  }
+
+  public function getObjectPolicyName() {
+    return pht('Same as Blog');
+  }
+
+  public function getPolicyExplanation() {
+    return pht('Use the same policy as the parent blog.');
+  }
+
+  public function getRuleDescription() {
+    return pht('inherit from blog');
+  }
+
+  public function getObjectPolicyIcon() {
+    return 'fa-feed';
+  }
+
+  public function canApplyToObject(PhabricatorPolicyInterface $object) {
+    return ($object instanceof PhamePost);
+  }
+
+  public function applyRule(
+    PhabricatorUser $viewer,
+    $value,
+    PhabricatorPolicyInterface $object) {
+
+    // TODO: This is incorrect in the general case, but: "PolicyRule" currently
+    // does not know which capability it is evaluating (so we can't test for
+    // the correct capability); and "PhamePost" currently has immutable view
+    // and edit policies (so we can only arrive here when evaluating the
+    // interact policy).
+
+    return PhabricatorPolicyFilter::hasCapability(
+      $viewer,
+      $object->getBlog(),
+      PhabricatorPolicyCapability::CAN_INTERACT);
+  }
+
+  public function getValueControlType() {
+    return self::CONTROL_TYPE_NONE;
+  }
+
+}

src/applications/phame/storage/PhameBlog.php

@@ -13,8 +13,6 @@ final class PhameBlog extends PhameDAO
     PhabricatorFulltextInterface,
     PhabricatorFerretInterface {
 
-  const MARKUP_FIELD_DESCRIPTION = 'markup:description';
-
   protected $name;
   protected $subtitle;
   protected $description;
@@ -26,6 +24,7 @@ final class PhameBlog extends PhameDAO
   protected $creatorPHID;
   protected $viewPolicy;
   protected $editPolicy;
+  protected $interactPolicy;
   protected $status;
   protected $mailKey;
   protected $profileImagePHID;
@@ -56,10 +55,9 @@ protected function getConfiguration() {
         'profileImagePHID' => 'phid?',
         'headerImagePHID' => 'phid?',
 
-        // T6203/NULLABILITY
-        // These policies should always be non-null.
-        'editPolicy' => 'policy?',
-        'viewPolicy' => 'policy?',
+        'editPolicy' => 'policy',
+        'viewPolicy' => 'policy',
+        'interactPolicy' => 'policy',
       ),
       self::CONFIG_KEY_SCHEMA => array(
         'key_phid' => null,
@@ -92,7 +90,9 @@ public static function initializeNewBlog(PhabricatorUser $actor) {
       ->setCreatorPHID($actor->getPHID())
       ->setStatus(self::STATUS_ACTIVE)
       ->setViewPolicy(PhabricatorPolicies::getMostOpenPolicy())
-      ->setEditPolicy(PhabricatorPolicies::POLICY_USER);
+      ->setEditPolicy(PhabricatorPolicies::POLICY_USER)
+      ->setInteractPolicy(PhabricatorPolicies::POLICY_USER);
+
     return $blog;
   }
 
@@ -233,6 +233,7 @@ public function getHeaderImageFile() {
   public function getCapabilities() {
     return array(
       PhabricatorPolicyCapability::CAN_VIEW,
+      PhabricatorPolicyCapability::CAN_INTERACT,
       PhabricatorPolicyCapability::CAN_EDIT,
     );
   }
@@ -242,6 +243,8 @@ public function getPolicy($capability) {
     switch ($capability) {
       case PhabricatorPolicyCapability::CAN_VIEW:
         return $this->getViewPolicy();
+      case PhabricatorPolicyCapability::CAN_INTERACT:
+        return $this->getInteractPolicy();
       case PhabricatorPolicyCapability::CAN_EDIT:
         return $this->getEditPolicy();
     }