mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-18 19:40:55 +01:00
Check CAN_VIEW and CAN_EDIT at SearchAttachController
Summary: Fixes T11193. Assume this is the correct place to check for permissions before attaching edges. Test Plan: Create a task and set edit policy to Admins, log into test account. Try to Edit Subtasks, Merge Duplicates, Attach a Diff, or Attach a Mock, get a Policy Dialog explaing why. Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin Maniphest Tasks: T11193 Differential Revision: https://secure.phabricator.com/D16161
This commit is contained in:
parent
921a5b4941
commit
83c4701231
3 changed files with 5 additions and 3 deletions
|
@ -198,7 +198,6 @@ final class ManiphestTaskDetailController extends ManiphestController {
|
||||||
$task_submenu[] = id(new PhabricatorActionView())
|
$task_submenu[] = id(new PhabricatorActionView())
|
||||||
->setName(pht('Edit Blocking Tasks'))
|
->setName(pht('Edit Blocking Tasks'))
|
||||||
->setHref("/search/attach/{$phid}/TASK/blocks/")
|
->setHref("/search/attach/{$phid}/TASK/blocks/")
|
||||||
->setWorkflow(true)
|
|
||||||
->setIcon('fa-link')
|
->setIcon('fa-link')
|
||||||
->setDisabled(!$can_edit)
|
->setDisabled(!$can_edit)
|
||||||
->setWorkflow(true);
|
->setWorkflow(true);
|
||||||
|
@ -206,7 +205,6 @@ final class ManiphestTaskDetailController extends ManiphestController {
|
||||||
$task_submenu[] = id(new PhabricatorActionView())
|
$task_submenu[] = id(new PhabricatorActionView())
|
||||||
->setName(pht('Merge Duplicates In'))
|
->setName(pht('Merge Duplicates In'))
|
||||||
->setHref("/search/attach/{$phid}/TASK/merge/")
|
->setHref("/search/attach/{$phid}/TASK/merge/")
|
||||||
->setWorkflow(true)
|
|
||||||
->setIcon('fa-compress')
|
->setIcon('fa-compress')
|
||||||
->setDisabled(!$can_edit)
|
->setDisabled(!$can_edit)
|
||||||
->setWorkflow(true);
|
->setWorkflow(true);
|
||||||
|
|
|
@ -42,7 +42,6 @@ final class PholioActionMenuEventListener
|
||||||
return id(new PhabricatorActionView())
|
return id(new PhabricatorActionView())
|
||||||
->setName(pht('Edit Pholio Mocks'))
|
->setName(pht('Edit Pholio Mocks'))
|
||||||
->setHref("/search/attach/{$phid}/MOCK/edge/")
|
->setHref("/search/attach/{$phid}/MOCK/edge/")
|
||||||
->setWorkflow(true)
|
|
||||||
->setIcon('fa-camera-retro')
|
->setIcon('fa-camera-retro')
|
||||||
->setDisabled(!$can_edit)
|
->setDisabled(!$can_edit)
|
||||||
->setWorkflow(true);
|
->setWorkflow(true);
|
||||||
|
|
|
@ -18,6 +18,11 @@ final class PhabricatorSearchAttachController
|
||||||
|
|
||||||
$object = id(new PhabricatorObjectQuery())
|
$object = id(new PhabricatorObjectQuery())
|
||||||
->setViewer($user)
|
->setViewer($user)
|
||||||
|
->requireCapabilities(
|
||||||
|
array(
|
||||||
|
PhabricatorPolicyCapability::CAN_VIEW,
|
||||||
|
PhabricatorPolicyCapability::CAN_EDIT,
|
||||||
|
))
|
||||||
->withPHIDs(array($phid))
|
->withPHIDs(array($phid))
|
||||||
->executeOne();
|
->executeOne();
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue