From b0dfd42eef292a2727d8b791210b7ab33026e04d Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Thu, 19 Jan 2017 11:06:42 -0800
Subject: [PATCH] Don't require edit capability on the Favorites application to
 edit personal menu items

Summary:
Ref T11096. Currently, editing ProfileMenuItemConfigurations always requires that you can edit the corresponding object.

This is correct for global items (for example: you can't change the global menu for a project unless you can edit the project) but not for personal items.

For personal items, only require that the user can edit the `customPHID` object. Today, this is always their own profile.

Test Plan: As a non-admin, edited personal menu items.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T11096

Differential Revision: https://secure.phabricator.com/D17228
---
 .../engine/PhabricatorProfileMenuEngine.php       | 14 ++++++++++----
 .../PhabricatorProfileMenuItemConfiguration.php   | 15 +++++++++++++++
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/src/applications/search/engine/PhabricatorProfileMenuEngine.php b/src/applications/search/engine/PhabricatorProfileMenuEngine.php
index 6157d5f657..3e11436ced 100644
--- a/src/applications/search/engine/PhabricatorProfileMenuEngine.php
+++ b/src/applications/search/engine/PhabricatorProfileMenuEngine.php
@@ -557,10 +557,16 @@ abstract class PhabricatorProfileMenuEngine extends Phobject {
       $first_item->willBuildNavigationItems($group);
     }
 
-    PhabricatorPolicyFilter::requireCapability(
-      $viewer,
-      $object,
-      PhabricatorPolicyCapability::CAN_EDIT);
+    // Users only need to be able to edit the object which this menu appears
+    // on if they're editing global menu items. For example, users do not need
+    // to be able to edit the Favorites application to add new items to the
+    // Favorites menu.
+    if (!$this->getCustomPHID()) {
+      PhabricatorPolicyFilter::requireCapability(
+        $viewer,
+        $object,
+        PhabricatorPolicyCapability::CAN_EDIT);
+    }
 
     $list_id = celerity_generate_unique_node_id();
 
diff --git a/src/applications/search/storage/PhabricatorProfileMenuItemConfiguration.php b/src/applications/search/storage/PhabricatorProfileMenuItemConfiguration.php
index 943474669d..e1571ee6f6 100644
--- a/src/applications/search/storage/PhabricatorProfileMenuItemConfiguration.php
+++ b/src/applications/search/storage/PhabricatorProfileMenuItemConfiguration.php
@@ -189,6 +189,21 @@ final class PhabricatorProfileMenuItemConfiguration
 
 
   public function getExtendedPolicy($capability, PhabricatorUser $viewer) {
+    // If this is an item with a custom PHID (like a personal menu item),
+    // we only require that the user can edit the corresponding custom
+    // object (usually their own user profile), not the object that the
+    // menu appears on (which may be an Application like Favorites or Home).
+    if ($capability == PhabricatorPolicyCapability::CAN_EDIT) {
+      if ($this->getCustomPHID()) {
+        return array(
+          array(
+            $this->getCustomPHID(),
+            $capability,
+          ),
+        );
+      }
+    }
+
     return array(
       array(
         $this->getProfileObject(),