1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-21 13:00:56 +01:00

Users cannot attach diffs to revisions they don't own anymore.

Summary:
Users were able to accidentally update revisions they didn't own. Now
it is impossible to update a revision that belongs to someone else or
has been marked as committed.

Test Plan:
Tested that normal workflow works as previously, but after running
'arc amend', running 'arc diff' fails.

Manually changed the revision number in the git commit message and tried
to update something that belongs to Jason -> Failed.

Reviewed By: epriestley
Reviewers: epriestley
CC: jungejason, epriestley, tuomaspelkonen
Differential Revision: 112
This commit is contained in:
tuomaspelkonen 2011-04-07 17:03:41 -07:00
parent 22297b71a0
commit c797f9511a
2 changed files with 10 additions and 1 deletions

View file

@ -39,6 +39,8 @@ class ConduitAPI_differential_updaterevision_Method extends ConduitAPIMethod {
return array(
'ERR_BAD_DIFF' => 'Bad diff ID.',
'ERR_BAD_REVISION' => 'Bad revision ID.',
'ERR_WRONG_USER' => 'You are not the author of this revision.',
'ERR_COMMITTED' => 'This revision has already been committed.',
);
}
@ -50,7 +52,13 @@ class ConduitAPI_differential_updaterevision_Method extends ConduitAPIMethod {
$revision = id(new DifferentialRevision())->load($request->getValue('id'));
// TODO: verify owned, non-committed, etc.
if ($request->getUser()->getPHID() !== $revision->getAuthorPHID()) {
throw new ConduitException('ERR_WRONG_USER');
}
if ($revision->getStatus() == DifferentialRevisionStatus::COMMITTED) {
throw new ConduitException('ERR_COMMITTED');
}
$editor = new DifferentialRevisionEditor(
$revision,

View file

@ -8,6 +8,7 @@
phutil_require_module('phabricator', 'applications/conduit/method/base');
phutil_require_module('phabricator', 'applications/conduit/protocol/exception');
phutil_require_module('phabricator', 'applications/differential/constants/revisionstatus');
phutil_require_module('phabricator', 'applications/differential/editor/revision');
phutil_require_module('phabricator', 'applications/differential/storage/diff');
phutil_require_module('phabricator', 'applications/differential/storage/revision');