When moving an object between workboard columns, require object edit permission

Summary: Fixes T5204. Currently, to move an object (like a task) between columns on a workboard, you must be able to edit the project. This doesn't map very well to real usage. Instead, require users be able to edit the object (e.g., the task). (You still need to be able to edit the project to create columns, edit columns, etc.) Test Plan: Moved stuff around on a project I could not edit. Reviewers: chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T5204 Differential Revision: https://secure.phabricator.com/D9720
2024-11-18 12:52:42 +01:00 · 2014-06-25 05:33:32 -07:00 · 2014-06-25 05:33:32 -07:00 · aedb694ad6
commit aedb694ad6
parent fe4dcd4063
1 changed files with 10 additions and 6 deletions
--- a/src/applications/project/controller/PhabricatorProjectMoveController.php
+++ b/src/applications/project/controller/PhabricatorProjectMoveController.php
@ -23,7 +23,6 @@ final class PhabricatorProjectMoveController
      ->requireCapabilities(
        array(
          PhabricatorPolicyCapability::CAN_VIEW,
-          PhabricatorPolicyCapability::CAN_EDIT,
        ))
      ->withIDs(array($this->id))
      ->executeOne();
@ -31,13 +30,14 @@ final class PhabricatorProjectMoveController
      return new Aphront404Response();
    }

-    // NOTE: I'm not requiring EDIT on the object for now, since we require
-    // EDIT on the project anyway and this relationship is more owned by the
-    // project than the object. Maybe this is worth revisiting eventually.
-
    $object = id(new PhabricatorObjectQuery())
      ->setViewer($viewer)
      ->withPHIDs(array($object_phid))
+      ->requireCapabilities(
+        array(
+          PhabricatorPolicyCapability::CAN_VIEW,
+          PhabricatorPolicyCapability::CAN_EDIT,
+        ))
      ->executeOne();

    if (!$object) {
@ -90,7 +90,11 @@ final class PhabricatorProjectMoveController
      $tasks = id(new ManiphestTaskQuery())
        ->setViewer($viewer)
        ->withPHIDs($task_phids)
-        ->requireCapabilities(array(PhabricatorPolicyCapability::CAN_EDIT))
+        ->requireCapabilities(
+          array(
+            PhabricatorPolicyCapability::CAN_VIEW,
+            PhabricatorPolicyCapability::CAN_EDIT,
+          ))
        ->execute();
      if (count($tasks) != count($task_phids)) {
        return new Aphront404Response();