Check CAN_VIEW and CAN_EDIT at SearchAttachController

Summary: Fixes T11193. Assume this is the correct place to check for permissions before attaching edges. Test Plan: Create a task and set edit policy to Admins, log into test account. Try to Edit Subtasks, Merge Duplicates, Attach a Diff, or Attach a Mock, get a Policy Dialog explaing why. Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin Maniphest Tasks: T11193 Differential Revision: https://secure.phabricator.com/D16161
2024-11-10 08:52:39 +01:00 · 2016-06-22 14:00:37 +00:00 · 2016-06-22 14:00:37 +00:00 · 83c4701231
commit 83c4701231
parent 921a5b4941
3 changed files with 5 additions and 3 deletions
--- a/src/applications/maniphest/controller/ManiphestTaskDetailController.php
+++ b/src/applications/maniphest/controller/ManiphestTaskDetailController.php
@ -198,7 +198,6 @@ final class ManiphestTaskDetailController extends ManiphestController {
    $task_submenu[] = id(new PhabricatorActionView())
      ->setName(pht('Edit Blocking Tasks'))
      ->setHref("/search/attach/{$phid}/TASK/blocks/")
      ->setWorkflow(true)
      ->setIcon('fa-link')
      ->setDisabled(!$can_edit)
      ->setWorkflow(true);
@ -206,7 +205,6 @@ final class ManiphestTaskDetailController extends ManiphestController {
    $task_submenu[] = id(new PhabricatorActionView())
      ->setName(pht('Merge Duplicates In'))
      ->setHref("/search/attach/{$phid}/TASK/merge/")
      ->setWorkflow(true)
      ->setIcon('fa-compress')
      ->setDisabled(!$can_edit)
      ->setWorkflow(true);
--- a/src/applications/pholio/event/PholioActionMenuEventListener.php
+++ b/src/applications/pholio/event/PholioActionMenuEventListener.php
@ -42,7 +42,6 @@ final class PholioActionMenuEventListener
    return  id(new PhabricatorActionView())
      ->setName(pht('Edit Pholio Mocks'))
      ->setHref("/search/attach/{$phid}/MOCK/edge/")
      ->setWorkflow(true)
      ->setIcon('fa-camera-retro')
      ->setDisabled(!$can_edit)
      ->setWorkflow(true);
--- a/src/applications/search/controller/PhabricatorSearchAttachController.php
+++ b/src/applications/search/controller/PhabricatorSearchAttachController.php
@ -18,6 +18,11 @@ final class PhabricatorSearchAttachController
    $object = id(new PhabricatorObjectQuery())
      ->setViewer($user)
      ->requireCapabilities(
        array(
          PhabricatorPolicyCapability::CAN_VIEW,
          PhabricatorPolicyCapability::CAN_EDIT,
        ))
      ->withPHIDs(array($phid))
      ->executeOne();