Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F14111535
D20716.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
4 KB
Referenced Files
None
Subscribers
None
D20716.diff
View Options
diff --git a/src/applications/phortune/controller/merchant/PhortuneMerchantInvoiceCreateController.php b/src/applications/phortune/controller/merchant/PhortuneMerchantInvoiceCreateController.php
--- a/src/applications/phortune/controller/merchant/PhortuneMerchantInvoiceCreateController.php
+++ b/src/applications/phortune/controller/merchant/PhortuneMerchantInvoiceCreateController.php
@@ -58,9 +58,10 @@
}
if (!$target_account) {
- $accounts = PhortuneAccountQuery::loadAccountsForUser(
- $target_user,
- PhabricatorContentSource::newFromRequest($request));
+ $accounts = id(new PhortuneAccountQuery())
+ ->setViewer($viewer)
+ ->withMemberPHIDs(array($target_user->getPHID()))
+ ->execute();
$form = id(new AphrontFormView())
->setUser($viewer)
diff --git a/src/applications/phortune/query/PhortuneMerchantQuery.php b/src/applications/phortune/query/PhortuneMerchantQuery.php
--- a/src/applications/phortune/query/PhortuneMerchantQuery.php
+++ b/src/applications/phortune/query/PhortuneMerchantQuery.php
@@ -86,14 +86,14 @@
if ($this->ids !== null) {
$where[] = qsprintf(
$conn,
- 'id IN (%Ld)',
+ 'merchant.id IN (%Ld)',
$this->ids);
}
if ($this->phids !== null) {
$where[] = qsprintf(
$conn,
- 'phid IN (%Ls)',
+ 'merchant.phid IN (%Ls)',
$this->phids);
}
@@ -113,7 +113,7 @@
if ($this->memberPHIDs !== null) {
$joins[] = qsprintf(
$conn,
- 'LEFT JOIN %T e ON m.phid = e.src AND e.type = %d',
+ 'LEFT JOIN %T e ON merchant.phid = e.src AND e.type = %d',
PhabricatorEdgeConfig::TABLE_NAME_EDGE,
PhortuneMerchantHasMemberEdgeType::EDGECONST);
}
@@ -126,7 +126,68 @@
}
protected function getPrimaryTableAlias() {
- return 'm';
+ return 'merchant';
+ }
+
+ public static function canViewersEditMerchants(
+ array $viewer_phids,
+ array $merchant_phids) {
+
+ // See T13366 for some discussion. This is an unusual caching construct to
+ // make policy filtering of Accounts easier.
+
+ foreach ($viewer_phids as $key => $viewer_phid) {
+ if (!$viewer_phid) {
+ unset($viewer_phids[$key]);
+ }
+ }
+
+ if (!$viewer_phids) {
+ return array();
+ }
+
+ $cache_key = 'phortune.merchant.can-edit';
+ $cache = PhabricatorCaches::getRequestCache();
+
+ $cache_data = $cache->getKey($cache_key);
+ if (!$cache_data) {
+ $cache_data = array();
+ }
+
+ $load_phids = array();
+ foreach ($viewer_phids as $viewer_phid) {
+ if (!isset($cache_data[$viewer_phid])) {
+ $load_phids[] = $viewer_phid;
+ }
+ }
+
+ $did_write = false;
+ foreach ($load_phids as $load_phid) {
+ $merchants = id(new self())
+ ->setViewer(PhabricatorUser::getOmnipotentUser())
+ ->withMemberPHIDs(array($load_phid))
+ ->execute();
+ foreach ($merchants as $merchant) {
+ $cache_data[$load_phid][$merchant->getPHID()] = true;
+ $did_write = true;
+ }
+ }
+
+ if ($did_write) {
+ $cache->setKey($cache_key, $cache_data);
+ }
+
+ $results = array();
+ foreach ($viewer_phids as $viewer_phid) {
+ foreach ($merchant_phids as $merchant_phid) {
+ if (!isset($cache_data[$viewer_phid][$merchant_phid])) {
+ continue;
+ }
+ $results[$viewer_phid][$merchant_phid] = true;
+ }
+ }
+
+ return $results;
}
}
diff --git a/src/applications/phortune/storage/PhortuneAccount.php b/src/applications/phortune/storage/PhortuneAccount.php
--- a/src/applications/phortune/storage/PhortuneAccount.php
+++ b/src/applications/phortune/storage/PhortuneAccount.php
@@ -179,13 +179,18 @@
return true;
}
- // If the viewer is acting on behalf of a merchant, they can see
- // payment accounts.
+ // See T13366. If the viewer can edit any merchant that this payment
+ // account has a relationship with, they can see the payment account.
if ($capability == PhabricatorPolicyCapability::CAN_VIEW) {
- foreach ($viewer->getAuthorities() as $authority) {
- if ($authority instanceof PhortuneMerchant) {
- return true;
- }
+ $viewer_phids = array($viewer->getPHID());
+ $merchant_phids = $this->getMerchantPHIDs();
+
+ $any_edit = PhortuneMerchantQuery::canViewersEditMerchants(
+ $viewer_phids,
+ $merchant_phids);
+
+ if ($any_edit) {
+ return true;
}
}
@@ -193,7 +198,10 @@
}
public function describeAutomaticCapability($capability) {
- return pht('Members of an account can always view and edit it.');
+ return array(
+ pht('Members of an account can always view and edit it.'),
+ pht('Merchants an account has established a relationship can view it.'),
+ );
}
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Thu, Nov 28, 9:55 PM (19 h, 3 m)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6802429
Default Alt Text
D20716.diff (4 KB)
Attached To
Mode
D20716: In Phortune, use actual merchant authority (not authority grants) to control account visibility
Attached
Detach File
Event Timeline
Log In to Comment