From 6f971a0fc4d8efaa165d1d039445d1075add695e Mon Sep 17 00:00:00 2001
From: Bob Trahan <btrahan@phacility.com>
Date: Sat, 8 Nov 2014 18:12:21 -0800
Subject: [PATCH] Phriction - if you can't edit x/y don't allow creating x/y/z

Summary: ...how do you lock down entire areas otherwise? Fixes T6496.

Test Plan: used user 1 to create x/y that user 2 can't edit. tried to create x/y/z as user 2 and got a big ole error dialogue.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T6496

Differential Revision: https://secure.phabricator.com/D10819
---
 .../editor/PhrictionTransactionEditor.php     | 52 +++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/src/applications/phriction/editor/PhrictionTransactionEditor.php b/src/applications/phriction/editor/PhrictionTransactionEditor.php
index af40cf117e..a1c369ae93 100644
--- a/src/applications/phriction/editor/PhrictionTransactionEditor.php
+++ b/src/applications/phriction/editor/PhrictionTransactionEditor.php
@@ -587,6 +587,58 @@ final class PhrictionTransactionEditor
     }
     return $error;
   }
+  protected function requireCapabilities(
+    PhabricatorLiskDAO $object,
+    PhabricatorApplicationTransaction $xaction) {
+
+    /*
+     * New objects have a special case. If a user can't see
+     *   x/y
+     * then definitely don't let them make some
+     *   x/y/z
+     * We need to load the direct parent to handle this case.
+     */
+    if ($this->getIsNewObject()) {
+      $actor = $this->requireActor();
+      $parent_doc = null;
+      $ancestral_slugs = PhabricatorSlug::getAncestry($object->getSlug());
+      // No ancestral slugs is "/"; the first person gets to play with "/".
+      if ($ancestral_slugs) {
+        $parent = end($ancestral_slugs);
+        $parent_doc = id(new PhrictionDocumentQuery())
+          ->setViewer($actor)
+          ->withSlugs(array($parent))
+          ->executeOne();
+        // If the $actor can't see the $parent_doc then they can't create
+        // the child $object; throw a policy exception.
+        if (!$parent_doc) {
+          id(new PhabricatorPolicyFilter())
+            ->setViewer($actor)
+            ->raisePolicyExceptions(true)
+            ->rejectObject(
+              $object,
+              $object->getEditPolicy(),
+              PhabricatorPolicyCapability::CAN_EDIT);
+        }
+
+        // If the $actor can't edit the $parent_doc then they can't create
+        // the child $object; throw a policy exception.
+        if (!PhabricatorPolicyFilter::hasCapability(
+          $actor,
+          $parent_doc,
+          PhabricatorPolicyCapability::CAN_EDIT)) {
+          id(new PhabricatorPolicyFilter())
+            ->setViewer($actor)
+            ->raisePolicyExceptions(true)
+            ->rejectObject(
+              $object,
+              $object->getEditPolicy(),
+              PhabricatorPolicyCapability::CAN_EDIT);
+        }
+      }
+    }
+    return parent::requireCapabilities($object, $xaction);
+  }
 
   protected function supportsSearch() {
     return true;