Fix join and remove policy checks for Conpherence

Summary: I think these got munged when I removed CAN_JOIN. - If you can view the room, you can join it. - ~~If you can view the room, you can add others to it.~~ This rule adjustment was removed, see discussion on the revision. - If you are a participant in the room, you can remove yourself. - If you can edit a room, you can remove anyone. Test Plan: Normal feature set: - Create a new room that only I can edit, viewable by all users. - Leave room (bye k thx) - Create another room, myself only - Join room from second account - See ability to only remove myself - Remove myself - Rejoin - Add third account - Log into first account - Boot off randos - Test joining by green button, message, and by + sign. Policy consistency: - As a user who can not edit the room, tried to add other members. Received policy exception. The `+` button is currently visible and enabled for all users (even users who have not joined the room) but this is pre-existing. Reviewers: chad Subscribers: Korvin Differential Revision: https://secure.phabricator.com/D17696
2024-11-25 16:22:43 +01:00 · 2017-04-15 06:08:00 -07:00 · 2017-04-15 06:08:00 -07:00 · c1e8b394cc
commit c1e8b394cc
parent f0fbf7a7d3
2 changed files with 16 additions and 9 deletions
--- a/src/applications/conpherence/controller/ConpherenceViewController.php
+++ b/src/applications/conpherence/controller/ConpherenceViewController.php
@ -147,9 +147,6 @@ final class ConpherenceViewController extends
    $user = $this->getRequest()->getUser();

    $participating = $conpherence->getParticipantIfExists($user->getPHID());
-    if (!$participating && $user->isLoggedIn()) {
-      return null;
-    }
    $draft = PhabricatorDraft::newFromUserAndKey(
      $user,
      $conpherence->getPHID());
--- a/src/applications/conpherence/editor/ConpherenceEditor.php
+++ b/src/applications/conpherence/editor/ConpherenceEditor.php
@ -341,13 +341,23 @@ final class ConpherenceEditor extends PhabricatorApplicationTransactionEditor {
        $add = array_keys(array_diff_key($new_map, $old_map));
        $rem = array_keys(array_diff_key($old_map, $new_map));

-        $actor_phid = $this->requireActor()->getPHID();
+        $actor_phid = $this->getActingAsPHID();

-        // You need CAN_EDIT to change participants other than yourself.
-        PhabricatorPolicyFilter::requireCapability(
-          $this->requireActor(),
-          $object,
-          PhabricatorPolicyCapability::CAN_EDIT);
+        $is_join = (($add === array($actor_phid)) && !$rem);
+        $is_leave = (($rem === array($actor_phid)) && !$add);
+
+        if ($is_join) {
+          // Anyone can join a thread they can see.
+        } else if ($is_leave) {
+          // Anyone can leave a thread.
+        } else {
+          // You need CAN_EDIT to add or remove participants. For additional
+          // discussion, see D17696 and T4411.
+          PhabricatorPolicyFilter::requireCapability(
+            $this->requireActor(),
+            $object,
+            PhabricatorPolicyCapability::CAN_EDIT);
+        }

        break;
      case ConpherenceThreadTitleTransaction::TRANSACTIONTYPE: