mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-30 02:32:42 +01:00
Stop requiring CAN_EDIT to reach the TransactionEditor via "*.edit" in EditEngine
Summary: Depends on D19607. Ref T13189. See PHI642. Ref T13186. Some transactions can sometimes be applied to objects you can not edit. Currently, using `*.edit` to edit an object always explicitly requires CAN_EDIT. Now that individual transactions require CAN_EDIT by default and can reduce or replace this requirement, stop requiring CAN_EDIT to reach the editor. The only expected effect of this change is that low-permission edits (like disabling a user, leaving a project, or leaving a thread) can now work via `*.edit`. Test Plan: - Tried to perform a normal edit (changing a task title) against an object with no CAN_EDIT. Still got a permissions error. - As a non-admin, disabled other users while holding the "Can Disable Users" permission. - As a non-admin, got a permissions error while trying to disable other users while not holding the "Can Disable Users" permission. Reviewers: amckinley Maniphest Tasks: T13189, T13186 Differential Revision: https://secure.phabricator.com/D19608
This commit is contained in:
parent
f9192d07f2
commit
cd8b5b82c8
1 changed files with 13 additions and 1 deletions
|
@ -2003,7 +2003,19 @@ abstract class PhabricatorEditEngine
|
||||||
$identifier = $request->getValue('objectIdentifier');
|
$identifier = $request->getValue('objectIdentifier');
|
||||||
if ($identifier) {
|
if ($identifier) {
|
||||||
$this->setIsCreate(false);
|
$this->setIsCreate(false);
|
||||||
$object = $this->newObjectFromIdentifier($identifier);
|
|
||||||
|
// After T13186, each transaction can individually weaken or replace the
|
||||||
|
// capabilities required to apply it, so we no longer need CAN_EDIT to
|
||||||
|
// attempt to apply transactions to objects. In practice, almost all
|
||||||
|
// transactions require CAN_EDIT so we won't get very far if we don't
|
||||||
|
// have it.
|
||||||
|
$capabilities = array(
|
||||||
|
PhabricatorPolicyCapability::CAN_VIEW,
|
||||||
|
);
|
||||||
|
|
||||||
|
$object = $this->newObjectFromIdentifier(
|
||||||
|
$identifier,
|
||||||
|
$capabilities);
|
||||||
} else {
|
} else {
|
||||||
$this->requireCreateCapability();
|
$this->requireCreateCapability();
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue