mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-18 12:52:42 +01:00
Remove overbearing policy checks in Phame
Summary: Fixes T11584. This controller does unnecessary CAN_EDIT policy checks. These checks are enforced by `EditEngine`, and you can make certain types of edits (including comments) even without full-blown edit permission. Test Plan: - Commented as a user without edit permission. - Tried to edit as a user without edit permission, was rebuffed with a policy dialog. - Edited as a user with edit permission. Reviewers: chad Reviewed By: chad Maniphest Tasks: T11584 Differential Revision: https://secure.phabricator.com/D16493
This commit is contained in:
parent
4dc37bcee0
commit
4b6da9735b
1 changed files with 17 additions and 22 deletions
|
@ -21,40 +21,35 @@ final class PhamePostEditController extends PhamePostController {
|
|||
$post = id(new PhamePostQuery())
|
||||
->setViewer($viewer)
|
||||
->withIDs(array($id))
|
||||
->requireCapabilities(
|
||||
array(
|
||||
PhabricatorPolicyCapability::CAN_VIEW,
|
||||
PhabricatorPolicyCapability::CAN_EDIT,
|
||||
))
|
||||
->executeOne();
|
||||
if (!$post) {
|
||||
return new Aphront404Response();
|
||||
}
|
||||
$blog_id = $post->getBlog()->getID();
|
||||
$blog = $post->getBlog();
|
||||
} else {
|
||||
$blog_id = head($request->getArr('blog'));
|
||||
if (!$blog_id) {
|
||||
$blog_id = $request->getStr('blog');
|
||||
}
|
||||
}
|
||||
|
||||
$query = id(new PhameBlogQuery())
|
||||
->setViewer($viewer)
|
||||
->requireCapabilities(
|
||||
array(
|
||||
PhabricatorPolicyCapability::CAN_VIEW,
|
||||
PhabricatorPolicyCapability::CAN_EDIT,
|
||||
));
|
||||
$query = id(new PhameBlogQuery())
|
||||
->setViewer($viewer)
|
||||
->requireCapabilities(
|
||||
array(
|
||||
PhabricatorPolicyCapability::CAN_VIEW,
|
||||
PhabricatorPolicyCapability::CAN_EDIT,
|
||||
));
|
||||
|
||||
if (ctype_digit($blog_id)) {
|
||||
$query->withIDs(array($blog_id));
|
||||
} else {
|
||||
$query->withPHIDs(array($blog_id));
|
||||
}
|
||||
if (ctype_digit($blog_id)) {
|
||||
$query->withIDs(array($blog_id));
|
||||
} else {
|
||||
$query->withPHIDs(array($blog_id));
|
||||
}
|
||||
|
||||
$blog = $query->executeOne();
|
||||
if (!$blog) {
|
||||
return new Aphront404Response();
|
||||
$blog = $query->executeOne();
|
||||
if (!$blog) {
|
||||
return new Aphront404Response();
|
||||
}
|
||||
}
|
||||
|
||||
$this->setBlog($blog);
|
||||
|
|
Loading…
Reference in a new issue