1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-25 14:08:19 +01:00

Clean up supplemental capabilitiy checks in transaction edits

Summary:
We have this commented-out chunk of code now which was originally buggy and is now just nonfunctional.

For now, the core edit types don't always require CAN_EDIT (e.g., subscribe, comment, add edges), except for editing the edit policy itself, which always does. Add a supplemental capability check there and let everything else go through with CAN_VIEW. We can buff the policy checks on application editors over time, they all require appropriate capabilities to get to in the first place anyway.

Test Plan: Created and edited some tasks without getting overwhelmed with policy exceptions.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D7351
This commit is contained in:
epriestley 2013-10-21 16:58:21 -07:00
parent f5c7dd68d2
commit 83c99be423

View file

@ -697,19 +697,27 @@ abstract class PhabricatorApplicationTransactionEditor
$object,
PhabricatorPolicyCapability::CAN_VIEW);
// TODO: This should be "$object", not "$xaction", but probably breaks a
// lot of stuff if fixed -- you don't need to be able to edit in order to
// comment. Instead, transactions should specify the capabilities they
// require.
foreach ($xactions as $xaction) {
$this->requireCapabilities($object, $xaction);
}
}
/*
protected function requireCapabilities(
PhabricatorLiskDAO $object,
PhabricatorApplicationTransaction $xaction) {
PhabricatorPolicyFilter::requireCapability(
$actor,
$xaction,
PhabricatorPolicyCapability::CAN_EDIT);
switch ($xaction->getTransactionType()) {
case PhabricatorTransactions::TYPE_EDIT_POLICY:
// You must have the edit capability to alter the edit policy of an
// object. For other default transaction types, we don't enforce
// anything for the moment.
*/
PhabricatorPolicyFilter::requireCapability(
$this->requireActor(),
$object,
PhabricatorPolicyCapability::CAN_EDIT);
break;
}
}
private function buildMentionTransaction(