revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-19 20:10:55 +01:00
Code Issues Releases Wiki Activity

Remove overbearing policy checks in Phame

Browse source 
Summary:
Fixes T11584. This controller does unnecessary CAN_EDIT policy checks.

These checks are enforced by `EditEngine`, and you can make certain types of edits (including comments) even without full-blown edit permission.

Test Plan:
  - Commented as a user without edit permission.
  - Tried to edit as a user without edit permission, was rebuffed with a policy dialog.
  - Edited as a user with edit permission.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T11584

Differential Revision: https://secure.phabricator.com/D16493
This commit is contained in:
epriestley 2016-09-05 11:50:31 -07:00
parent 4dc37bcee0
commit 4b6da9735b
1 changed files with 17 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
src/applications/phame/controller/post/PhamePostEditController.php
View file

@ -21,40 +21,35 @@ final class PhamePostEditController extends PhamePostController {
$post = id(new PhamePostQuery()) $post = id(new PhamePostQuery())
->setViewer($viewer) ->setViewer($viewer)
->withIDs(array($id)) ->withIDs(array($id))
->requireCapabilities(
array(
PhabricatorPolicyCapability::CAN_VIEW,
PhabricatorPolicyCapability::CAN_EDIT,
))
->executeOne(); ->executeOne();
if (!$post) { if (!$post) {
return new Aphront404Response(); return new Aphront404Response();
} }
$blog_id = $post->getBlog()->getID(); $blog = $post->getBlog();
} else { } else {
$blog_id = head($request->getArr('blog')); $blog_id = head($request->getArr('blog'));
if (!$blog_id) { if (!$blog_id) {
$blog_id = $request->getStr('blog'); $blog_id = $request->getStr('blog');
} }
}
$query = id(new PhameBlogQuery()) $query = id(new PhameBlogQuery())
->setViewer($viewer) ->setViewer($viewer)
->requireCapabilities( ->requireCapabilities(
array( array(
PhabricatorPolicyCapability::CAN_VIEW, PhabricatorPolicyCapability::CAN_VIEW,
PhabricatorPolicyCapability::CAN_EDIT, PhabricatorPolicyCapability::CAN_EDIT,
)); ));
if (ctype_digit($blog_id)) { if (ctype_digit($blog_id)) {
$query->withIDs(array($blog_id)); $query->withIDs(array($blog_id));
} else { } else {
$query->withPHIDs(array($blog_id)); $query->withPHIDs(array($blog_id));
} }
$blog = $query->executeOne(); $blog = $query->executeOne();
if (!$blog) { if (!$blog) {
return new Aphront404Response(); return new Aphront404Response();
}
} }
$this->setBlog($blog); $this->setBlog($blog);