mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 22:10:55 +01:00
Don't require any special capabilities to apply a "closed a subtask" transaction to a parent task
Summary: See PHI1059. If you close a task, we apply an "alice closed a subtask: X" transaction to its parents. This transaction is purely informative, but currently requires `CAN_EDIT` permission after T13186. However, we'd prefer to post this transaction anyway, even if: the parent is locked; or the parent is not editable by the acting user. Replace the implicit `CAN_EDIT` requirement with no requirement. (This transaction is only applied internally (by closing a subtask) and can't be applied via the API or any other channel, so this doesn't let attackers spam a bunch of bogus subtask closures all over the place or anything.) Test Plan: - Created a parent task A with subtask B. - Put task A into an "Edits Locked" status. - As a user other than the owner of A, closed B. Then: - Before: Policy exception when trying to apply the "alice closed a subtask: B" transaction to A. - After: B closed, A got a transaction despite being locked. Reviewers: amckinley Reviewed By: amckinley Differential Revision: https://secure.phabricator.com/D20223
This commit is contained in:
parent
4cc556b576
commit
75dfae1011
1 changed files with 10 additions and 0 deletions
|
@ -123,4 +123,14 @@ final class ManiphestTaskUnblockTransaction
|
|||
return parent::shouldHideForFeed();
|
||||
}
|
||||
|
||||
public function getRequiredCapabilities(
|
||||
$object,
|
||||
PhabricatorApplicationTransaction $xaction) {
|
||||
|
||||
// When you close a task, we want to apply this transaction to its parents
|
||||
// even if you can not edit (or even see) those parents, so don't require
|
||||
// any capabilities. See PHI1059.
|
||||
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue