mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-27 09:12:41 +01:00
Partially fix a policy issue with ApplicationTransactions
Summary: Currently, we check that the user can view and edit their own transaction, which is always true. Instead, check that they can view the object. I'll fix this with a more tailored check against the EDIT capability that's per-transaction later. Test Plan: Applying no transactions no longer fatals with undefined `$xaction`. Reviewers: btrahan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D6754
This commit is contained in:
parent
f7b289e3a4
commit
8c3d1af627
1 changed files with 10 additions and 1 deletions
|
@ -607,13 +607,22 @@ abstract class PhabricatorApplicationTransactionEditor
|
||||||
|
|
||||||
PhabricatorPolicyFilter::requireCapability(
|
PhabricatorPolicyFilter::requireCapability(
|
||||||
$actor,
|
$actor,
|
||||||
$xaction,
|
$object,
|
||||||
PhabricatorPolicyCapability::CAN_VIEW);
|
PhabricatorPolicyCapability::CAN_VIEW);
|
||||||
|
|
||||||
|
// TODO: This should be "$object", not "$xaction", but probably breaks a
|
||||||
|
// lot of stuff if fixed -- you don't need to be able to edit in order to
|
||||||
|
// comment. Instead, transactions should specify the capabilities they
|
||||||
|
// require.
|
||||||
|
|
||||||
|
/*
|
||||||
|
|
||||||
PhabricatorPolicyFilter::requireCapability(
|
PhabricatorPolicyFilter::requireCapability(
|
||||||
$actor,
|
$actor,
|
||||||
$xaction,
|
$xaction,
|
||||||
PhabricatorPolicyCapability::CAN_EDIT);
|
PhabricatorPolicyCapability::CAN_EDIT);
|
||||||
|
|
||||||
|
*/
|
||||||
}
|
}
|
||||||
|
|
||||||
private function buildMentionTransaction(
|
private function buildMentionTransaction(
|
||||||
|
|
Loading…
Reference in a new issue