Partially fix a policy issue with ApplicationTransactions

Summary: Currently, we check that the user can view and edit their own transaction, which is always true. Instead, check that they can view the object. I'll fix this with a more tailored check against the EDIT capability that's per-transaction later. Test Plan: Applying no transactions no longer fatals with undefined `$xaction`. Reviewers: btrahan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D6754
2024-11-23 15:22:41 +01:00 · 2013-08-14 10:15:38 -07:00 · 2013-08-14 10:15:38 -07:00 · 8c3d1af627
commit 8c3d1af627
parent f7b289e3a4
1 changed files with 10 additions and 1 deletions
--- a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
+++ b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
@ -607,13 +607,22 @@ abstract class PhabricatorApplicationTransactionEditor

    PhabricatorPolicyFilter::requireCapability(
      $actor,
-      $xaction,
+      $object,
      PhabricatorPolicyCapability::CAN_VIEW);

+    // TODO: This should be "$object", not "$xaction", but probably breaks a
+    // lot of stuff if fixed -- you don't need to be able to edit in order to
+    // comment. Instead, transactions should specify the capabilities they
+    // require.
+
+    /*
+
    PhabricatorPolicyFilter::requireCapability(
      $actor,
      $xaction,
      PhabricatorPolicyCapability::CAN_EDIT);
+
+    */
  }

  private function buildMentionTransaction(