Page MenuHomePhabricator
Differential D20716

In Phortune, use actual merchant authority (not authority grants) to control account visibility
ClosedPublic
Actions

Authored by epriestley on Aug 16 2019, 3:18 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Jan 21, 3:31 PM
Unknown Object (File)
Tue, Jan 21, 12:01 PM
Unknown Object (File)
Sat, Jan 18, 5:09 AM
Unknown Object (File)
Wed, Jan 8, 2:47 PM
Unknown Object (File)
Mon, Dec 30, 9:48 AM
Unknown Object (File)
Sun, Dec 29, 7:26 PM
Unknown Object (File)
Dec 21 2024, 10:11 AM
Unknown Object (File)
Dec 16 2024, 7:42 AM
View All Files
Subscribers
None

Details

Reviewers
None
Maniphest Tasks
T13366: Update Phortune to work better with "enterprise" billing/accounts departments
Commits
rPa3213ab20be6: In Phortune, use actual merchant authority (not authority grants) to control…
Summary

Depends on D20715. Ref T13366. See that task for discussion.

Replace the unreliable "grantAuthority()"-based check with an actual "can the viewer edit any merchant this account has a relationship with?" check.

This makes these objects easier to use from a policy perspective and makes it so that the Query alone can fully enforce permissions properly with no setup, so general infrastructure (like handles and transactions) works properly with Phortune objects.

Test Plan

Viewed merchants and accounts as users with no authority, direct authority on the account, and indirect authority via a merchant relationship.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
src/
applications/
phortune/
controller/
merchant/
7 lines
query/
69 lines
storage/
22 lines

Diff 49433

View Options

src/applications/phortune/controller/merchant/PhortuneMerchantInvoiceCreateController.php

Loading...
View Options

src/applications/phortune/query/PhortuneMerchantQuery.php

Loading...
View Options

src/applications/phortune/storage/PhortuneAccount.php

Loading...
Phabricator · Built by Phacility