revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-09-20 01:08:50 +02:00
Code Issues Releases Wiki Activity

Remove overbearing policy checks in Phame

Browse source 
Summary:
Fixes T11584. This controller does unnecessary CAN_EDIT policy checks.

These checks are enforced by `EditEngine`, and you can make certain types of edits (including comments) even without full-blown edit permission.

Test Plan:
  - Commented as a user without edit permission.
  - Tried to edit as a user without edit permission, was rebuffed with a policy dialog.
  - Edited as a user with edit permission.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T11584

Differential Revision: https://secure.phabricator.com/D16493
This commit is contained in:
epriestley 2016-09-05 11:50:31 -07:00
parent 4dc37bcee0
commit 4b6da9735b
1 changed files with 17 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
src/applications/phame/controller/post/PhamePostEditController.php
View file

@ -21,40 +21,35 @@ final class PhamePostEditController extends PhamePostController {
$post = id(new PhamePostQuery())
->setViewer($viewer)
->withIDs(array($id))
->requireCapabilities(
array(
PhabricatorPolicyCapability::CAN_VIEW,
PhabricatorPolicyCapability::CAN_EDIT,
))
->executeOne();
if (!$post) {
return new Aphront404Response();
}
$blog_id = $post->getBlog()->getID();
$blog = $post->getBlog();
} else {
$blog_id = head($request->getArr('blog'));
if (!$blog_id) {
$blog_id = $request->getStr('blog');
}
}
$query = id(new PhameBlogQuery())
->setViewer($viewer)
->requireCapabilities(
array(
PhabricatorPolicyCapability::CAN_VIEW,
PhabricatorPolicyCapability::CAN_EDIT,
));
$query = id(new PhameBlogQuery())
->setViewer($viewer)
->requireCapabilities(
array(
PhabricatorPolicyCapability::CAN_VIEW,
PhabricatorPolicyCapability::CAN_EDIT,
));
if (ctype_digit($blog_id)) {
$query->withIDs(array($blog_id));
} else {
$query->withPHIDs(array($blog_id));
}
if (ctype_digit($blog_id)) {
$query->withIDs(array($blog_id));
} else {
$query->withPHIDs(array($blog_id));
}
$blog = $query->executeOne();
if (!$blog) {
return new Aphront404Response();
$blog = $query->executeOne();
if (!$blog) {
return new Aphront404Response();
}
}
$this->setBlog($blog);