1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 22:10:55 +01:00

Don't require any special capabilities to apply a "closed a subtask" transaction to a parent task

Summary:
See PHI1059. If you close a task, we apply an "alice closed a subtask: X" transaction to its parents.

This transaction is purely informative, but currently requires `CAN_EDIT` permission after T13186. However, we'd prefer to post this transaction anyway, even if: the parent is locked; or the parent is not editable by the acting user.

Replace the implicit `CAN_EDIT` requirement with no requirement.

(This transaction is only applied internally (by closing a subtask) and can't be applied via the API or any other channel, so this doesn't let attackers spam a bunch of bogus subtask closures all over the place or anything.)

Test Plan:
  - Created a parent task A with subtask B.
  - Put task A into an "Edits Locked" status.
  - As a user other than the owner of A, closed B.

Then:

  - Before: Policy exception when trying to apply the "alice closed a subtask: B" transaction to A.
  - After: B closed, A got a transaction despite being locked.

Reviewers: amckinley

Reviewed By: amckinley

Differential Revision: https://secure.phabricator.com/D20223
This commit is contained in:
epriestley 2019-02-28 08:05:07 -08:00
parent 4cc556b576
commit 75dfae1011

View file

@ -123,4 +123,14 @@ final class ManiphestTaskUnblockTransaction
return parent::shouldHideForFeed();
}
public function getRequiredCapabilities(
$object,
PhabricatorApplicationTransaction $xaction) {
// When you close a task, we want to apply this transaction to its parents
// even if you can not edit (or even see) those parents, so don't require
// any capabilities. See PHI1059.
return null;
}
}