From 9829ecddd695e7c1d866576da098fa2830855511 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Thu, 26 Jan 2017 19:42:04 -0800
Subject: [PATCH] Clean up "reorder" permissions in MenuEngine for personal
 favorites

Summary:
Fixes T12159. This is similar to D17228, which fixed this for the main configuration operation.

Most other edit operations only test for edit capability on the MenuItem itself, which we already do correctly. However, because reordering affects all items, we test for capability on the object.

Weaken this when reordering custom items.

Test Plan: Reordered custom items in Favorites as a non-administrator.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T12159

Differential Revision: https://secure.phabricator.com/D17257
---
 .../engine/PhabricatorProfileMenuEngine.php   | 32 ++++++++++++++++---
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/src/applications/search/engine/PhabricatorProfileMenuEngine.php b/src/applications/search/engine/PhabricatorProfileMenuEngine.php
index a6db1b2d2b..1af25a4eef 100644
--- a/src/applications/search/engine/PhabricatorProfileMenuEngine.php
+++ b/src/applications/search/engine/PhabricatorProfileMenuEngine.php
@@ -497,10 +497,34 @@ abstract class PhabricatorProfileMenuEngine extends Phobject {
     $viewer = $this->getViewer();
     $object = $this->getProfileObject();
 
-    PhabricatorPolicyFilter::requireCapability(
-      $viewer,
-      $object,
-      PhabricatorPolicyCapability::CAN_EDIT);
+    // If you're reordering global items, you need to be able to edit the
+    // object the menu appears on. If you're reordering custom items, you only
+    // need to be able to edit the custom object. Currently, the custom object
+    // is always the viewing user's own user object.
+    $custom_phid = $this->getCustomPHID();
+    if (!$custom_phid) {
+      PhabricatorPolicyFilter::requireCapability(
+        $viewer,
+        $object,
+        PhabricatorPolicyCapability::CAN_EDIT);
+    } else {
+      $policy_object = id(new PhabricatorObjectQuery())
+        ->setViewer($viewer)
+        ->withPHIDs(array($custom_phid))
+        ->executeOne();
+
+      if (!$policy_object) {
+        throw new Exception(
+          pht(
+            'Failed to load custom PHID "%s"!',
+            $custom_phid));
+      }
+
+      PhabricatorPolicyFilter::requireCapability(
+        $viewer,
+        $policy_object,
+        PhabricatorPolicyCapability::CAN_EDIT);
+    }
 
     $controller = $this->getController();
     $request = $controller->getRequest();