Forbid adding non-users to Conpherence threads

Summary: Fixes T6724. Adds validation that participants are users. Test Plan: - Tried to add non-users, got an error. - Added users normally. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T6724 Differential Revision: https://secure.phabricator.com/D11955
2025-03-08 18:34:47 +01:00 · 2015-03-03 10:40:00 -08:00 · 2015-03-03 10:40:00 -08:00 · 47b54389e5
commit 47b54389e5
parent f391364bb7
2 changed files with 46 additions and 2 deletions
--- a/src/applications/conpherence/editor/ConpherenceEditor.php
+++ b/src/applications/conpherence/editor/ConpherenceEditor.php
@ -478,4 +478,43 @@ final class ConpherenceEditor extends PhabricatorApplicationTransactionEditor {
    );
  }

+  protected function validateTransaction(
+    PhabricatorLiskDAO $object,
+    $type,
+    array $xactions) {
+
+    $errors = parent::validateTransaction($object, $type, $xactions);
+
+    switch ($type) {
+      case ConpherenceTransactionType::TYPE_PARTICIPANTS:
+        foreach ($xactions as $xaction) {
+          $phids = $this->getPHIDTransactionNewValue(
+            $xaction,
+            $object->getParticipantPHIDs());
+
+          if (!$phids) {
+            continue;
+          }
+
+          $users = id(new PhabricatorPeopleQuery())
+            ->setViewer($this->requireActor())
+            ->withPHIDs($phids)
+            ->execute();
+          $users = mpull($users, null, 'getPHID');
+          foreach ($phids as $phid) {
+            if (isset($users[$phid])) {
+              continue;
+            }
+            $errors[] = new PhabricatorApplicationTransactionValidationError(
+              $type,
+              pht('Invalid'),
+              pht('New thread member "%s" is not a valid user.', $phid),
+              $xaction);
+          }
+        }
+        break;
+    }
+
+    return $errors;
+  }
 }
--- a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
+++ b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
@ -1397,9 +1397,14 @@ abstract class PhabricatorApplicationTransactionEditor
  }

  protected function getPHIDTransactionNewValue(
-    PhabricatorApplicationTransaction $xaction) {
+    PhabricatorApplicationTransaction $xaction,
+    $old = null) {

-    $old = array_fuse($xaction->getOldValue());
+    if ($old) {
+      $old = array_fuse($old);
+    } else {
+      $old = array_fuse($xaction->getOldValue());
+    }

    $new = $xaction->getNewValue();
    $new_add = idx($new, '+', array());