diff --git a/src/applications/tokens/controller/PhabricatorTokenGiveController.php b/src/applications/tokens/controller/PhabricatorTokenGiveController.php --- a/src/applications/tokens/controller/PhabricatorTokenGiveController.php +++ b/src/applications/tokens/controller/PhabricatorTokenGiveController.php @@ -14,6 +14,24 @@ return new Aphront404Response(); } + $object = id(new PhabricatorObjectQuery()) + ->setViewer($viewer) + ->withPHIDs(array($phid)) + ->executeOne(); + + if (!($object instanceof PhabricatorTokenReceiverInterface)) { + return new Aphront400Response(); + } + + if (!PhabricatorPolicyFilter::canInteract($viewer, $object)) { + $lock = PhabricatorEditEngineLock::newForObject($viewer, $object); + + $dialog = $this->newDialog() + ->addCancelButton($handle->getURI()); + + return $lock->willBlockUserInteractionWithDialog($dialog); + } + $current = id(new PhabricatorTokenGivenQuery()) ->setViewer($viewer) ->withAuthorPHIDs(array($viewer->getPHID())) diff --git a/src/applications/tokens/event/PhabricatorTokenUIEventListener.php b/src/applications/tokens/event/PhabricatorTokenUIEventListener.php --- a/src/applications/tokens/event/PhabricatorTokenUIEventListener.php +++ b/src/applications/tokens/event/PhabricatorTokenUIEventListener.php @@ -37,6 +37,8 @@ return null; } + $can_interact = PhabricatorPolicyFilter::canInteract($user, $object); + $current = id(new PhabricatorTokenGivenQuery()) ->setViewer($user) ->withAuthorPHIDs(array($user->getPHID())) @@ -48,14 +50,17 @@ ->setWorkflow(true) ->setHref('/token/give/'.$object->getPHID().'/') ->setName(pht('Award Token')) - ->setIcon('fa-trophy'); + ->setIcon('fa-trophy') + ->setDisabled(!$can_interact); } else { $token_action = id(new PhabricatorActionView()) ->setWorkflow(true) ->setHref('/token/give/'.$object->getPHID().'/') ->setName(pht('Rescind Token')) - ->setIcon('fa-trophy'); + ->setIcon('fa-trophy') + ->setDisabled(!$can_interact); } + if (!$user->isLoggedIn()) { $token_action->setDisabled(true); }