Commit 83c47012 authored by Chad Little's avatar Chad Little Committed by chad
Browse files

Check CAN_VIEW and CAN_EDIT at SearchAttachController

Summary: Fixes T11193. Assume this is the correct place to check for permissions before attaching edges.

Test Plan: Create a task and set edit policy to Admins, log into test account. Try to Edit Subtasks, Merge Duplicates, Attach a Diff, or Attach a Mock, get a Policy Dialog explaing why.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Maniphest Tasks: T11193

Differential Revision: https://secure.phabricator.com/D16161
parent 921a5b49
......@@ -198,7 +198,6 @@ final class ManiphestTaskDetailController extends ManiphestController {
$task_submenu[] = id(new PhabricatorActionView())
->setName(pht('Edit Blocking Tasks'))
->setHref("/search/attach/{$phid}/TASK/blocks/")
->setWorkflow(true)
->setIcon('fa-link')
->setDisabled(!$can_edit)
->setWorkflow(true);
......@@ -206,7 +205,6 @@ final class ManiphestTaskDetailController extends ManiphestController {
$task_submenu[] = id(new PhabricatorActionView())
->setName(pht('Merge Duplicates In'))
->setHref("/search/attach/{$phid}/TASK/merge/")
->setWorkflow(true)
->setIcon('fa-compress')
->setDisabled(!$can_edit)
->setWorkflow(true);
......
......@@ -42,7 +42,6 @@ final class PholioActionMenuEventListener
return id(new PhabricatorActionView())
->setName(pht('Edit Pholio Mocks'))
->setHref("/search/attach/{$phid}/MOCK/edge/")
->setWorkflow(true)
->setIcon('fa-camera-retro')
->setDisabled(!$can_edit)
->setWorkflow(true);
......
......@@ -18,6 +18,11 @@ final class PhabricatorSearchAttachController
$object = id(new PhabricatorObjectQuery())
->setViewer($user)
->requireCapabilities(
array(
PhabricatorPolicyCapability::CAN_VIEW,
PhabricatorPolicyCapability::CAN_EDIT,
))
->withPHIDs(array($phid))
->executeOne();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment