mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-27 17:22:42 +01:00
Phriction - if you can't edit x/y don't allow creating x/y/z
Summary: ...how do you lock down entire areas otherwise? Fixes T6496. Test Plan: used user 1 to create x/y that user 2 can't edit. tried to create x/y/z as user 2 and got a big ole error dialogue. Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T6496 Differential Revision: https://secure.phabricator.com/D10819
This commit is contained in:
Bob Trahan
parent
b655699a6c
commit
6f971a0fc4
1 changed files with 52 additions and 0 deletions
|
|
@ -587,6 +587,58 @@ final class PhrictionTransactionEditor
|
||||||
}
|
}
|
||||||
return $error;
|
return $error;
|
||||||
}
|
}
|
||||||
|
protected function requireCapabilities(
|
||||||
|
PhabricatorLiskDAO $object,
|
||||||
|
PhabricatorApplicationTransaction $xaction) {
|
||||||
|
|
||||||
|
/*
|
||||||
|
* New objects have a special case. If a user can't see
|
||||||
|
* x/y
|
||||||
|
* then definitely don't let them make some
|
||||||
|
* x/y/z
|
||||||
|
* We need to load the direct parent to handle this case.
|
||||||
|
*/
|
||||||
|
if ($this->getIsNewObject()) {
|
||||||
|
$actor = $this->requireActor();
|
||||||
|
$parent_doc = null;
|
||||||
|
$ancestral_slugs = PhabricatorSlug::getAncestry($object->getSlug());
|
||||||
|
// No ancestral slugs is "/"; the first person gets to play with "/".
|
||||||
|
if ($ancestral_slugs) {
|
||||||
|
$parent = end($ancestral_slugs);
|
||||||
|
$parent_doc = id(new PhrictionDocumentQuery())
|
||||||
|
->setViewer($actor)
|
||||||
|
->withSlugs(array($parent))
|
||||||
|
->executeOne();
|
||||||
|
// If the $actor can't see the $parent_doc then they can't create
|
||||||
|
// the child $object; throw a policy exception.
|
||||||
|
if (!$parent_doc) {
|
||||||
|
id(new PhabricatorPolicyFilter())
|
||||||
|
->setViewer($actor)
|
||||||
|
->raisePolicyExceptions(true)
|
||||||
|
->rejectObject(
|
||||||
|
$object,
|
||||||
|
$object->getEditPolicy(),
|
||||||
|
PhabricatorPolicyCapability::CAN_EDIT);
|
||||||
|
}
|
||||||
|
|
||||||
|
// If the $actor can't edit the $parent_doc then they can't create
|
||||||
|
// the child $object; throw a policy exception.
|
||||||
|
if (!PhabricatorPolicyFilter::hasCapability(
|
||||||
|
$actor,
|
||||||
|
$parent_doc,
|
||||||
|
PhabricatorPolicyCapability::CAN_EDIT)) {
|
||||||
|
id(new PhabricatorPolicyFilter())
|
||||||
|
->setViewer($actor)
|
||||||
|
->raisePolicyExceptions(true)
|
||||||
|
->rejectObject(
|
||||||
|
$object,
|
||||||
|
$object->getEditPolicy(),
|
||||||
|
PhabricatorPolicyCapability::CAN_EDIT);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return parent::requireCapabilities($object, $xaction);
|
||||||
|
}
|
||||||
|
|
||||||
protected function supportsSearch() {
|
protected function supportsSearch() {
|
||||||
return true;
|
return true;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue