1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-18 19:40:55 +01:00

Check CAN_VIEW and CAN_EDIT at SearchAttachController

Summary: Fixes T11193. Assume this is the correct place to check for permissions before attaching edges.

Test Plan: Create a task and set edit policy to Admins, log into test account. Try to Edit Subtasks, Merge Duplicates, Attach a Diff, or Attach a Mock, get a Policy Dialog explaing why.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Maniphest Tasks: T11193

Differential Revision: https://secure.phabricator.com/D16161
This commit is contained in:
Chad Little 2016-06-22 14:00:37 +00:00 committed by chad
parent 921a5b4941
commit 83c4701231
3 changed files with 5 additions and 3 deletions

View file

@ -198,7 +198,6 @@ final class ManiphestTaskDetailController extends ManiphestController {
$task_submenu[] = id(new PhabricatorActionView()) $task_submenu[] = id(new PhabricatorActionView())
->setName(pht('Edit Blocking Tasks')) ->setName(pht('Edit Blocking Tasks'))
->setHref("/search/attach/{$phid}/TASK/blocks/") ->setHref("/search/attach/{$phid}/TASK/blocks/")
->setWorkflow(true)
->setIcon('fa-link') ->setIcon('fa-link')
->setDisabled(!$can_edit) ->setDisabled(!$can_edit)
->setWorkflow(true); ->setWorkflow(true);
@ -206,7 +205,6 @@ final class ManiphestTaskDetailController extends ManiphestController {
$task_submenu[] = id(new PhabricatorActionView()) $task_submenu[] = id(new PhabricatorActionView())
->setName(pht('Merge Duplicates In')) ->setName(pht('Merge Duplicates In'))
->setHref("/search/attach/{$phid}/TASK/merge/") ->setHref("/search/attach/{$phid}/TASK/merge/")
->setWorkflow(true)
->setIcon('fa-compress') ->setIcon('fa-compress')
->setDisabled(!$can_edit) ->setDisabled(!$can_edit)
->setWorkflow(true); ->setWorkflow(true);

View file

@ -42,7 +42,6 @@ final class PholioActionMenuEventListener
return id(new PhabricatorActionView()) return id(new PhabricatorActionView())
->setName(pht('Edit Pholio Mocks')) ->setName(pht('Edit Pholio Mocks'))
->setHref("/search/attach/{$phid}/MOCK/edge/") ->setHref("/search/attach/{$phid}/MOCK/edge/")
->setWorkflow(true)
->setIcon('fa-camera-retro') ->setIcon('fa-camera-retro')
->setDisabled(!$can_edit) ->setDisabled(!$can_edit)
->setWorkflow(true); ->setWorkflow(true);

View file

@ -18,6 +18,11 @@ final class PhabricatorSearchAttachController
$object = id(new PhabricatorObjectQuery()) $object = id(new PhabricatorObjectQuery())
->setViewer($user) ->setViewer($user)
->requireCapabilities(
array(
PhabricatorPolicyCapability::CAN_VIEW,
PhabricatorPolicyCapability::CAN_EDIT,
))
->withPHIDs(array($phid)) ->withPHIDs(array($phid))
->executeOne(); ->executeOne();