From 4b6da9735ba7cd1e67cc4ef8f0df8f089cf419f7 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Mon, 5 Sep 2016 11:50:31 -0700
Subject: [PATCH] Remove overbearing policy checks in Phame

Summary:
Fixes T11584. This controller does unnecessary CAN_EDIT policy checks.

These checks are enforced by `EditEngine`, and you can make certain types of edits (including comments) even without full-blown edit permission.

Test Plan:
  - Commented as a user without edit permission.
  - Tried to edit as a user without edit permission, was rebuffed with a policy dialog.
  - Edited as a user with edit permission.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T11584

Differential Revision: https://secure.phabricator.com/D16493
---
 .../post/PhamePostEditController.php          | 39 ++++++++-----------
 1 file changed, 17 insertions(+), 22 deletions(-)

diff --git a/src/applications/phame/controller/post/PhamePostEditController.php b/src/applications/phame/controller/post/PhamePostEditController.php
index 91df519adb..88cd109d81 100644
--- a/src/applications/phame/controller/post/PhamePostEditController.php
+++ b/src/applications/phame/controller/post/PhamePostEditController.php
@@ -21,40 +21,35 @@ final class PhamePostEditController extends PhamePostController {
       $post = id(new PhamePostQuery())
         ->setViewer($viewer)
         ->withIDs(array($id))
-        ->requireCapabilities(
-          array(
-            PhabricatorPolicyCapability::CAN_VIEW,
-            PhabricatorPolicyCapability::CAN_EDIT,
-          ))
         ->executeOne();
       if (!$post) {
         return new Aphront404Response();
       }
-      $blog_id = $post->getBlog()->getID();
+      $blog = $post->getBlog();
     } else {
       $blog_id = head($request->getArr('blog'));
       if (!$blog_id) {
         $blog_id = $request->getStr('blog');
       }
-    }
 
-    $query = id(new PhameBlogQuery())
-      ->setViewer($viewer)
-      ->requireCapabilities(
-        array(
-          PhabricatorPolicyCapability::CAN_VIEW,
-          PhabricatorPolicyCapability::CAN_EDIT,
-        ));
+      $query = id(new PhameBlogQuery())
+        ->setViewer($viewer)
+        ->requireCapabilities(
+          array(
+            PhabricatorPolicyCapability::CAN_VIEW,
+            PhabricatorPolicyCapability::CAN_EDIT,
+          ));
 
-    if (ctype_digit($blog_id)) {
-      $query->withIDs(array($blog_id));
-    } else {
-      $query->withPHIDs(array($blog_id));
-    }
+      if (ctype_digit($blog_id)) {
+        $query->withIDs(array($blog_id));
+      } else {
+        $query->withPHIDs(array($blog_id));
+      }
 
-    $blog = $query->executeOne();
-    if (!$blog) {
-      return new Aphront404Response();
+      $blog = $query->executeOne();
+      if (!$blog) {
+        return new Aphront404Response();
+      }
     }
 
     $this->setBlog($blog);