mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 14:00:56 +01:00
Clean up "reorder" permissions in MenuEngine for personal favorites
Summary: Fixes T12159. This is similar to D17228, which fixed this for the main configuration operation. Most other edit operations only test for edit capability on the MenuItem itself, which we already do correctly. However, because reordering affects all items, we test for capability on the object. Weaken this when reordering custom items. Test Plan: Reordered custom items in Favorites as a non-administrator. Reviewers: chad Reviewed By: chad Maniphest Tasks: T12159 Differential Revision: https://secure.phabricator.com/D17257
This commit is contained in:
parent
bee043b163
commit
9829ecddd6
1 changed files with 28 additions and 4 deletions
|
@ -497,10 +497,34 @@ abstract class PhabricatorProfileMenuEngine extends Phobject {
|
|||
$viewer = $this->getViewer();
|
||||
$object = $this->getProfileObject();
|
||||
|
||||
PhabricatorPolicyFilter::requireCapability(
|
||||
$viewer,
|
||||
$object,
|
||||
PhabricatorPolicyCapability::CAN_EDIT);
|
||||
// If you're reordering global items, you need to be able to edit the
|
||||
// object the menu appears on. If you're reordering custom items, you only
|
||||
// need to be able to edit the custom object. Currently, the custom object
|
||||
// is always the viewing user's own user object.
|
||||
$custom_phid = $this->getCustomPHID();
|
||||
if (!$custom_phid) {
|
||||
PhabricatorPolicyFilter::requireCapability(
|
||||
$viewer,
|
||||
$object,
|
||||
PhabricatorPolicyCapability::CAN_EDIT);
|
||||
} else {
|
||||
$policy_object = id(new PhabricatorObjectQuery())
|
||||
->setViewer($viewer)
|
||||
->withPHIDs(array($custom_phid))
|
||||
->executeOne();
|
||||
|
||||
if (!$policy_object) {
|
||||
throw new Exception(
|
||||
pht(
|
||||
'Failed to load custom PHID "%s"!',
|
||||
$custom_phid));
|
||||
}
|
||||
|
||||
PhabricatorPolicyFilter::requireCapability(
|
||||
$viewer,
|
||||
$policy_object,
|
||||
PhabricatorPolicyCapability::CAN_EDIT);
|
||||
}
|
||||
|
||||
$controller = $this->getController();
|
||||
$request = $controller->getRequest();
|
||||
|
|
Loading…
Reference in a new issue