From cd8b5b82c8602f64a42efaaaa80ab96f40e6bbea Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Mon, 27 Aug 2018 07:52:04 -0700
Subject: [PATCH] Stop requiring CAN_EDIT to reach the TransactionEditor via
 "*.edit" in EditEngine

Summary:
Depends on D19607. Ref T13189. See PHI642. Ref T13186.

Some transactions can sometimes be applied to objects you can not edit. Currently, using `*.edit` to edit an object always explicitly requires CAN_EDIT.

Now that individual transactions require CAN_EDIT by default and can reduce or replace this requirement, stop requiring CAN_EDIT to reach the editor.

The only expected effect of this change is that low-permission edits (like disabling a user, leaving a project, or leaving a thread) can now work via `*.edit`.

Test Plan:
  - Tried to perform a normal edit (changing a task title) against an object with no CAN_EDIT. Still got a permissions error.
  - As a non-admin, disabled other users while holding the "Can Disable Users" permission.
  - As a non-admin, got a permissions error while trying to disable other users while not holding the "Can Disable Users" permission.

Reviewers: amckinley

Maniphest Tasks: T13189, T13186

Differential Revision: https://secure.phabricator.com/D19608
---
 .../editengine/PhabricatorEditEngine.php           | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/applications/transactions/editengine/PhabricatorEditEngine.php b/src/applications/transactions/editengine/PhabricatorEditEngine.php
index f8f6f371bc..ad495a3a44 100644
--- a/src/applications/transactions/editengine/PhabricatorEditEngine.php
+++ b/src/applications/transactions/editengine/PhabricatorEditEngine.php
@@ -2003,7 +2003,19 @@ abstract class PhabricatorEditEngine
     $identifier = $request->getValue('objectIdentifier');
     if ($identifier) {
       $this->setIsCreate(false);
-      $object = $this->newObjectFromIdentifier($identifier);
+
+      // After T13186, each transaction can individually weaken or replace the
+      // capabilities required to apply it, so we no longer need CAN_EDIT to
+      // attempt to apply transactions to objects. In practice, almost all
+      // transactions require CAN_EDIT so we won't get very far if we don't
+      // have it.
+      $capabilities = array(
+        PhabricatorPolicyCapability::CAN_VIEW,
+      );
+
+      $object = $this->newObjectFromIdentifier(
+        $identifier,
+        $capabilities);
     } else {
       $this->requireCreateCapability();