mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-28 08:20:57 +01:00
Phriction - if you can't edit x/y don't allow creating x/y/z
Summary: ...how do you lock down entire areas otherwise? Fixes T6496. Test Plan: used user 1 to create x/y that user 2 can't edit. tried to create x/y/z as user 2 and got a big ole error dialogue. Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T6496 Differential Revision: https://secure.phabricator.com/D10819
This commit is contained in:
parent
b655699a6c
commit
6f971a0fc4
1 changed files with 52 additions and 0 deletions
|
@ -587,6 +587,58 @@ final class PhrictionTransactionEditor
|
|||
}
|
||||
return $error;
|
||||
}
|
||||
protected function requireCapabilities(
|
||||
PhabricatorLiskDAO $object,
|
||||
PhabricatorApplicationTransaction $xaction) {
|
||||
|
||||
/*
|
||||
* New objects have a special case. If a user can't see
|
||||
* x/y
|
||||
* then definitely don't let them make some
|
||||
* x/y/z
|
||||
* We need to load the direct parent to handle this case.
|
||||
*/
|
||||
if ($this->getIsNewObject()) {
|
||||
$actor = $this->requireActor();
|
||||
$parent_doc = null;
|
||||
$ancestral_slugs = PhabricatorSlug::getAncestry($object->getSlug());
|
||||
// No ancestral slugs is "/"; the first person gets to play with "/".
|
||||
if ($ancestral_slugs) {
|
||||
$parent = end($ancestral_slugs);
|
||||
$parent_doc = id(new PhrictionDocumentQuery())
|
||||
->setViewer($actor)
|
||||
->withSlugs(array($parent))
|
||||
->executeOne();
|
||||
// If the $actor can't see the $parent_doc then they can't create
|
||||
// the child $object; throw a policy exception.
|
||||
if (!$parent_doc) {
|
||||
id(new PhabricatorPolicyFilter())
|
||||
->setViewer($actor)
|
||||
->raisePolicyExceptions(true)
|
||||
->rejectObject(
|
||||
$object,
|
||||
$object->getEditPolicy(),
|
||||
PhabricatorPolicyCapability::CAN_EDIT);
|
||||
}
|
||||
|
||||
// If the $actor can't edit the $parent_doc then they can't create
|
||||
// the child $object; throw a policy exception.
|
||||
if (!PhabricatorPolicyFilter::hasCapability(
|
||||
$actor,
|
||||
$parent_doc,
|
||||
PhabricatorPolicyCapability::CAN_EDIT)) {
|
||||
id(new PhabricatorPolicyFilter())
|
||||
->setViewer($actor)
|
||||
->raisePolicyExceptions(true)
|
||||
->rejectObject(
|
||||
$object,
|
||||
$object->getEditPolicy(),
|
||||
PhabricatorPolicyCapability::CAN_EDIT);
|
||||
}
|
||||
}
|
||||
}
|
||||
return parent::requireCapabilities($object, $xaction);
|
||||
}
|
||||
|
||||
protected function supportsSearch() {
|
||||
return true;
|
||||
|
|
Loading…
Reference in a new issue