From 3f8e5c96209d9c3211225db6733da2a86d84812e Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Sat, 19 Dec 2015 06:29:48 -0800
Subject: [PATCH] Straighten out reorder permissions on form configurations

Summary:
Fixes T10012. The permissions here are little weird: you need edit permission on the //configurations//, not the //engines//. I was checking edit permission on the engines only.

I should possibly make this a bit more consistent, the engine edit permission is just very convenient to use to enforce object create permission right now. I'll likely clean this up after T9789.

Test Plan:
  - Tried to reorder forms as a less-privileged user, got proper policy errors.
  - Reordered forms normally as a regular user.

Reviewers: chad

Reviewed By: chad

Subscribers: Luke081515.2

Maniphest Tasks: T10012

Differential Revision: https://secure.phabricator.com/D14824
---
 resources/celerity/map.php                         |  6 +++---
 ...icatorEditEngineConfigurationListController.php | 14 +++++++++-----
 ...icatorEditEngineConfigurationSortController.php |  9 +++++++++
 webroot/rsrc/css/phui/phui-list.css                |  1 +
 4 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/resources/celerity/map.php b/resources/celerity/map.php
index a7c5e9be32..1a0edbf896 100644
--- a/resources/celerity/map.php
+++ b/resources/celerity/map.php
@@ -7,7 +7,7 @@
  */
 return array(
   'names' => array(
-    'core.pkg.css' => 'faa11cbc',
+    'core.pkg.css' => '4cf32aa0',
     'core.pkg.js' => 'e0379ae5',
     'darkconsole.pkg.js' => 'e7393ebb',
     'differential.pkg.css' => '2de124c9',
@@ -138,7 +138,7 @@ return array(
     'rsrc/css/phui/phui-image-mask.css' => '5a8b09c8',
     'rsrc/css/phui/phui-info-panel.css' => '27ea50a1',
     'rsrc/css/phui/phui-info-view.css' => '6d7c3509',
-    'rsrc/css/phui/phui-list.css' => 'a789942a',
+    'rsrc/css/phui/phui-list.css' => '9da2aa00',
     'rsrc/css/phui/phui-object-box.css' => '407eaf5a',
     'rsrc/css/phui/phui-object-item-list-view.css' => '26c30d3f',
     'rsrc/css/phui/phui-pager.css' => 'bea33d23',
@@ -812,7 +812,7 @@ return array(
     'phui-info-panel-css' => '27ea50a1',
     'phui-info-view-css' => '6d7c3509',
     'phui-inline-comment-view-css' => '0fdb3667',
-    'phui-list-view-css' => 'a789942a',
+    'phui-list-view-css' => '9da2aa00',
     'phui-object-box-css' => '407eaf5a',
     'phui-object-item-list-view-css' => '26c30d3f',
     'phui-pager-css' => 'bea33d23',
diff --git a/src/applications/transactions/controller/PhabricatorEditEngineConfigurationListController.php b/src/applications/transactions/controller/PhabricatorEditEngineConfigurationListController.php
index 7280cd050a..dbf73477da 100644
--- a/src/applications/transactions/controller/PhabricatorEditEngineConfigurationListController.php
+++ b/src/applications/transactions/controller/PhabricatorEditEngineConfigurationListController.php
@@ -13,7 +13,8 @@ final class PhabricatorEditEngineConfigurationListController
     $engine_key = $request->getURIData('engineKey');
     $this->setEngineKey($engine_key);
 
-    $engine = PhabricatorEditEngine::getByKey($viewer, $engine_key);
+    $engine = PhabricatorEditEngine::getByKey($viewer, $engine_key)
+      ->setViewer($viewer);
 
     $items = array();
     $items[] = id(new PHUIListItemView())
@@ -23,9 +24,12 @@ final class PhabricatorEditEngineConfigurationListController
     $sort_create_uri = "/transactions/editengine/{$engine_key}/sort/create/";
     $sort_edit_uri = "/transactions/editengine/{$engine_key}/sort/edit/";
 
-    $can_edit = PhabricatorPolicyFilter::hasCapability(
+    $builtins = $engine->getBuiltinEngineConfigurations();
+    $builtin = head($builtins);
+
+    $can_sort = PhabricatorPolicyFilter::hasCapability(
       $viewer,
-      $engine,
+      $builtin,
       PhabricatorPolicyCapability::CAN_EDIT);
 
     $items[] = id(new PHUIListItemView())
@@ -33,14 +37,14 @@ final class PhabricatorEditEngineConfigurationListController
       ->setName(pht('Reorder Create Forms'))
       ->setHref($sort_create_uri)
       ->setWorkflow(true)
-      ->setDisabled(!$can_edit);
+      ->setDisabled(!$can_sort);
 
     $items[] = id(new PHUIListItemView())
       ->setType(PHUIListItemView::TYPE_LINK)
       ->setName(pht('Reorder Edit Forms'))
       ->setHref($sort_edit_uri)
       ->setWorkflow(true)
-      ->setDisabled(!$can_edit);
+      ->setDisabled(!$can_sort);
 
     return id(new PhabricatorEditEngineConfigurationSearchEngine())
       ->setController($this)
diff --git a/src/applications/transactions/controller/PhabricatorEditEngineConfigurationSortController.php b/src/applications/transactions/controller/PhabricatorEditEngineConfigurationSortController.php
index c0ee0dd6dd..613a847326 100644
--- a/src/applications/transactions/controller/PhabricatorEditEngineConfigurationSortController.php
+++ b/src/applications/transactions/controller/PhabricatorEditEngineConfigurationSortController.php
@@ -39,6 +39,15 @@ final class PhabricatorEditEngineConfigurationSortController
 
     $configs = $query->execute();
 
+    // Do this check here (instead of in the Query above) to get a proper
+    // policy exception if the user doesn't satisfy
+    foreach ($configs as $config) {
+      PhabricatorPolicyFilter::requireCapability(
+        $viewer,
+        $config,
+        PhabricatorPolicyCapability::CAN_EDIT);
+    }
+
     if ($is_create) {
       $configs = msort($configs, 'getCreateSortKey');
     } else {
diff --git a/webroot/rsrc/css/phui/phui-list.css b/webroot/rsrc/css/phui/phui-list.css
index 6b0a068b08..25504a611d 100644
--- a/webroot/rsrc/css/phui/phui-list.css
+++ b/webroot/rsrc/css/phui/phui-list.css
@@ -62,6 +62,7 @@
   line-height: 18px;
 }
 
+.phabricator-side-menu .phui-list-item-disabled .phui-list-item-href,
 .phui-list-sidenav .phui-list-item-disabled .phui-list-item-href {
   color: {$lightgreytext};
 }