Don't require edit capability on the Favorites application to edit personal menu items

Summary: Ref T11096. Currently, editing ProfileMenuItemConfigurations always requires that you can edit the corresponding object. This is correct for global items (for example: you can't change the global menu for a project unless you can edit the project) but not for personal items. For personal items, only require that the user can edit the `customPHID` object. Today, this is always their own profile. Test Plan: As a non-admin, edited personal menu items. Reviewers: chad Reviewed By: chad Maniphest Tasks: T11096 Differential Revision: https://secure.phabricator.com/D17228
2025-01-08 22:01:03 +01:00 · 2017-01-19 11:06:42 -08:00 · 2017-01-19 11:06:42 -08:00 · b0dfd42eef
commit b0dfd42eef
parent 269dd81f91
2 changed files with 25 additions and 4 deletions
--- a/src/applications/search/engine/PhabricatorProfileMenuEngine.php
+++ b/src/applications/search/engine/PhabricatorProfileMenuEngine.php
@ -557,10 +557,16 @@ abstract class PhabricatorProfileMenuEngine extends Phobject {
      $first_item->willBuildNavigationItems($group);
    }

-    PhabricatorPolicyFilter::requireCapability(
-      $viewer,
-      $object,
-      PhabricatorPolicyCapability::CAN_EDIT);
+    // Users only need to be able to edit the object which this menu appears
+    // on if they're editing global menu items. For example, users do not need
+    // to be able to edit the Favorites application to add new items to the
+    // Favorites menu.
+    if (!$this->getCustomPHID()) {
+      PhabricatorPolicyFilter::requireCapability(
+        $viewer,
+        $object,
+        PhabricatorPolicyCapability::CAN_EDIT);
+    }

    $list_id = celerity_generate_unique_node_id();

--- a/src/applications/search/storage/PhabricatorProfileMenuItemConfiguration.php
+++ b/src/applications/search/storage/PhabricatorProfileMenuItemConfiguration.php
@ -189,6 +189,21 @@ final class PhabricatorProfileMenuItemConfiguration


  public function getExtendedPolicy($capability, PhabricatorUser $viewer) {
+    // If this is an item with a custom PHID (like a personal menu item),
+    // we only require that the user can edit the corresponding custom
+    // object (usually their own user profile), not the object that the
+    // menu appears on (which may be an Application like Favorites or Home).
+    if ($capability == PhabricatorPolicyCapability::CAN_EDIT) {
+      if ($this->getCustomPHID()) {
+        return array(
+          array(
+            $this->getCustomPHID(),
+            $capability,
+          ),
+        );
+      }
+    }
+
    return array(
      array(
        $this->getProfileObject(),