1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-27 09:12:41 +01:00

Partially fix a policy issue with ApplicationTransactions

Summary: Currently, we check that the user can view and edit their own transaction, which is always true. Instead, check that they can view the object. I'll fix this with a more tailored check against the EDIT capability that's per-transaction later.

Test Plan: Applying no transactions no longer fatals with undefined `$xaction`.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D6754
This commit is contained in:
epriestley 2013-08-14 10:15:38 -07:00
parent f7b289e3a4
commit 8c3d1af627

View file

@ -607,13 +607,22 @@ abstract class PhabricatorApplicationTransactionEditor
PhabricatorPolicyFilter::requireCapability(
$actor,
$xaction,
$object,
PhabricatorPolicyCapability::CAN_VIEW);
// TODO: This should be "$object", not "$xaction", but probably breaks a
// lot of stuff if fixed -- you don't need to be able to edit in order to
// comment. Instead, transactions should specify the capabilities they
// require.
/*
PhabricatorPolicyFilter::requireCapability(
$actor,
$xaction,
PhabricatorPolicyCapability::CAN_EDIT);
*/
}
private function buildMentionTransaction(