From aedb694ad6e0892018937c30bf409d720a7b2ed4 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Wed, 25 Jun 2014 05:33:32 -0700
Subject: [PATCH] When moving an object between workboard columns, require
 object edit permission

Summary:
Fixes T5204. Currently, to move an object (like a task) between columns on a workboard, you must be able to edit the project.

This doesn't map very well to real usage. Instead, require users be able to edit the object (e.g., the task).

(You still need to be able to edit the project to create columns, edit columns, etc.)

Test Plan: Moved stuff around on a project I could not edit.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T5204

Differential Revision: https://secure.phabricator.com/D9720
---
 .../PhabricatorProjectMoveController.php         | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/applications/project/controller/PhabricatorProjectMoveController.php b/src/applications/project/controller/PhabricatorProjectMoveController.php
index 17ad58b30c..126773dabe 100644
--- a/src/applications/project/controller/PhabricatorProjectMoveController.php
+++ b/src/applications/project/controller/PhabricatorProjectMoveController.php
@@ -23,7 +23,6 @@ final class PhabricatorProjectMoveController
       ->requireCapabilities(
         array(
           PhabricatorPolicyCapability::CAN_VIEW,
-          PhabricatorPolicyCapability::CAN_EDIT,
         ))
       ->withIDs(array($this->id))
       ->executeOne();
@@ -31,13 +30,14 @@ final class PhabricatorProjectMoveController
       return new Aphront404Response();
     }
 
-    // NOTE: I'm not requiring EDIT on the object for now, since we require
-    // EDIT on the project anyway and this relationship is more owned by the
-    // project than the object. Maybe this is worth revisiting eventually.
-
     $object = id(new PhabricatorObjectQuery())
       ->setViewer($viewer)
       ->withPHIDs(array($object_phid))
+      ->requireCapabilities(
+        array(
+          PhabricatorPolicyCapability::CAN_VIEW,
+          PhabricatorPolicyCapability::CAN_EDIT,
+        ))
       ->executeOne();
 
     if (!$object) {
@@ -90,7 +90,11 @@ final class PhabricatorProjectMoveController
       $tasks = id(new ManiphestTaskQuery())
         ->setViewer($viewer)
         ->withPHIDs($task_phids)
-        ->requireCapabilities(array(PhabricatorPolicyCapability::CAN_EDIT))
+        ->requireCapabilities(
+          array(
+            PhabricatorPolicyCapability::CAN_VIEW,
+            PhabricatorPolicyCapability::CAN_EDIT,
+          ))
         ->execute();
       if (count($tasks) != count($task_phids)) {
         return new Aphront404Response();