mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-21 13:00:56 +01:00
Users cannot attach diffs to revisions they don't own anymore.
Summary: Users were able to accidentally update revisions they didn't own. Now it is impossible to update a revision that belongs to someone else or has been marked as committed. Test Plan: Tested that normal workflow works as previously, but after running 'arc amend', running 'arc diff' fails. Manually changed the revision number in the git commit message and tried to update something that belongs to Jason -> Failed. Reviewed By: epriestley Reviewers: epriestley CC: jungejason, epriestley, tuomaspelkonen Differential Revision: 112
This commit is contained in:
parent
22297b71a0
commit
c797f9511a
2 changed files with 10 additions and 1 deletions
|
@ -39,6 +39,8 @@ class ConduitAPI_differential_updaterevision_Method extends ConduitAPIMethod {
|
|||
return array(
|
||||
'ERR_BAD_DIFF' => 'Bad diff ID.',
|
||||
'ERR_BAD_REVISION' => 'Bad revision ID.',
|
||||
'ERR_WRONG_USER' => 'You are not the author of this revision.',
|
||||
'ERR_COMMITTED' => 'This revision has already been committed.',
|
||||
);
|
||||
}
|
||||
|
||||
|
@ -50,7 +52,13 @@ class ConduitAPI_differential_updaterevision_Method extends ConduitAPIMethod {
|
|||
|
||||
$revision = id(new DifferentialRevision())->load($request->getValue('id'));
|
||||
|
||||
// TODO: verify owned, non-committed, etc.
|
||||
if ($request->getUser()->getPHID() !== $revision->getAuthorPHID()) {
|
||||
throw new ConduitException('ERR_WRONG_USER');
|
||||
}
|
||||
|
||||
if ($revision->getStatus() == DifferentialRevisionStatus::COMMITTED) {
|
||||
throw new ConduitException('ERR_COMMITTED');
|
||||
}
|
||||
|
||||
$editor = new DifferentialRevisionEditor(
|
||||
$revision,
|
||||
|
|
|
@ -8,6 +8,7 @@
|
|||
|
||||
phutil_require_module('phabricator', 'applications/conduit/method/base');
|
||||
phutil_require_module('phabricator', 'applications/conduit/protocol/exception');
|
||||
phutil_require_module('phabricator', 'applications/differential/constants/revisionstatus');
|
||||
phutil_require_module('phabricator', 'applications/differential/editor/revision');
|
||||
phutil_require_module('phabricator', 'applications/differential/storage/diff');
|
||||
phutil_require_module('phabricator', 'applications/differential/storage/revision');
|
||||
|
|
Loading…
Reference in a new issue