Page MenuHomePhabricator

Check CAN_VIEW and CAN_EDIT at SearchAttachController

Authored by chad on Jun 22 2016, 2:46 AM.



Fixes T11193. Assume this is the correct place to check for permissions before attaching edges.

Test Plan

Create a task and set edit policy to Admins, log into test account. Try to Edit Subtasks, Merge Duplicates, Attach a Diff, or Attach a Mock, get a Policy Dialog explaing why.

Diff Detail

rP Phabricator
Lint Not Applicable
Tests Not Applicable

Event Timeline

chad retitled this revision from to Check CAN_VIEW and CAN_EDIT at SearchAttachController.
chad updated this object.
chad edited the test plan for this revision. (Show Details)
chad added a reviewer: epriestley.
  • Also test the Admin side
epriestley edited edge metadata.

I think this is the right rule. It does create this sort of weird outcome when you can only edit one of the objects at the ends of a relationship. For example, if you can edit task X but not revision Y, you can edit the relationship between them from the task page but not the revision page.

I think this is actually reasonable/consistent/desirable and aligns with expectations, though, at least for "X is related to Y".

For "merge", we probably want to require that you be able to edit both tasks, but all of this is likely getting modularized/refreshed shortly anyway.

This revision is now accepted and ready to land.Jun 22 2016, 12:20 PM
This revision was automatically updated to reflect the committed changes.