Add hard stops on empty batch edit sets

Summary: Ref T8637. If a user tries to batch edit a list of tasks which can't be edited, we fall through to `withIDs(array())`, which can affect //everything//. Explicitly stop batch editing if we don't have valid IDs or valid tasks. The UI sort-of warns you that something is wrong, but this is ultimately a pretty severe UX issue. I'll fix the underlying Query in the next diff. Test Plan: Tried to batch edit a list of tasks I didn't have permission to edit. Reviewers: btrahan Reviewed By: btrahan Subscribers: lloyd.oliver, epriestley Maniphest Tasks: T8637 Differential Revision: https://secure.phabricator.com/D13388
2024-11-18 12:52:42 +01:00 · 2015-06-22 11:47:58 -07:00 · 2015-06-22 11:47:58 -07:00 · 0597aba33e
commit 0597aba33e
parent d1983560a6
1 changed files with 12 additions and 0 deletions
--- a/src/applications/maniphest/controller/ManiphestBatchEditController.php
+++ b/src/applications/maniphest/controller/ManiphestBatchEditController.php
@ -25,6 +25,12 @@ final class ManiphestBatchEditController extends ManiphestController {
      $task_ids = $request->getStrList('batch');
    }

+    if (!$task_ids) {
+      throw new Exception(
+        pht(
+          'No tasks are selected.'));
+    }
+
    $tasks = id(new ManiphestTaskQuery())
      ->setViewer($viewer)
      ->withIDs($task_ids)
@ -37,6 +43,12 @@ final class ManiphestBatchEditController extends ManiphestController {
      ->needProjectPHIDs(true)
      ->execute();

+    if (!$tasks) {
+      throw new Exception(
+        pht(
+          "You don't have permission to edit any of the selected tasks."));
+    }
+
    if ($project) {
      $cancel_uri = '/project/board/'.$project->getID().'/';
      $redirect_uri = $cancel_uri;