Clean up "reorder" permissions in MenuEngine for personal favorites

Summary:
Fixes T12159. This is similar to D17228, which fixed this for the main configuration operation.

Most other edit operations only test for edit capability on the MenuItem itself, which we already do correctly. However, because reordering affects all items, we test for capability on the object.

Weaken this when reordering custom items.

Test Plan: Reordered custom items in Favorites as a non-administrator.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T12159

Differential Revision: https://secure.phabricator.com/D17257

src/applications/search/engine/PhabricatorProfileMenuEngine.php

@@ -497,10 +497,34 @@ abstract class PhabricatorProfileMenuEngine extends Phobject {
     $viewer = $this->getViewer();
     $object = $this->getProfileObject();
 
-    PhabricatorPolicyFilter::requireCapability(
-      $viewer,
-      $object,
-      PhabricatorPolicyCapability::CAN_EDIT);
+    // If you're reordering global items, you need to be able to edit the
+    // object the menu appears on. If you're reordering custom items, you only
+    // need to be able to edit the custom object. Currently, the custom object
+    // is always the viewing user's own user object.
+    $custom_phid = $this->getCustomPHID();
+    if (!$custom_phid) {
+      PhabricatorPolicyFilter::requireCapability(
+        $viewer,
+        $object,
+        PhabricatorPolicyCapability::CAN_EDIT);
+    } else {
+      $policy_object = id(new PhabricatorObjectQuery())
+        ->setViewer($viewer)
+        ->withPHIDs(array($custom_phid))
+        ->executeOne();
+
+      if (!$policy_object) {
+        throw new Exception(
+          pht(
+            'Failed to load custom PHID "%s"!',
+            $custom_phid));
+      }
+
+      PhabricatorPolicyFilter::requireCapability(
+        $viewer,
+        $policy_object,
+        PhabricatorPolicyCapability::CAN_EDIT);
+    }
 
     $controller = $this->getController();
     $request = $controller->getRequest();