Don't require any special capabilities to apply a "closed a subtask" transaction to a parent task

Summary: See PHI1059. If you close a task, we apply an "alice closed a subtask: X" transaction to its parents. This transaction is purely informative, but currently requires `CAN_EDIT` permission after T13186. However, we'd prefer to post this transaction anyway, even if: the parent is locked; or the parent is not editable by the acting user. Replace the implicit `CAN_EDIT` requirement with no requirement. (This transaction is only applied internally (by closing a subtask) and can't be applied via the API or any other channel, so this doesn't let attackers spam a bunch of bogus subtask closures all over the place or anything.) Test Plan: - Created a parent task A with subtask B. - Put task A into an "Edits Locked" status. - As a user other than the owner of A, closed B. Then: - Before: Policy exception when trying to apply the "alice closed a subtask: B" transaction to A. - After: B closed, A got a transaction despite being locked. Reviewers: amckinley Reviewed By: amckinley Differential Revision: https://secure.phabricator.com/D20223
2024-11-10 08:52:39 +01:00 · 2019-02-28 08:05:07 -08:00 · 2019-02-28 08:05:07 -08:00 · 75dfae1011
commit 75dfae1011
parent 4cc556b576
1 changed files with 10 additions and 0 deletions
--- a/src/applications/maniphest/xaction/ManiphestTaskUnblockTransaction.php
+++ b/src/applications/maniphest/xaction/ManiphestTaskUnblockTransaction.php
@ -123,4 +123,14 @@ final class ManiphestTaskUnblockTransaction
    return parent::shouldHideForFeed();
  }

+  public function getRequiredCapabilities(
+    $object,
+    PhabricatorApplicationTransaction $xaction) {
+
+    // When you close a task, we want to apply this transaction to its parents
+    // even if you can not edit (or even see) those parents, so don't require
+    // any capabilities. See PHI1059.
+
+    return null;
+  }
 }