Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F15379315
D11049.id26534.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
3 KB
Referenced Files
None
Subscribers
None
D11049.id26534.diff
View Options
diff --git a/src/applications/maniphest/controller/ManiphestTransactionSaveController.php b/src/applications/maniphest/controller/ManiphestTransactionSaveController.php
--- a/src/applications/maniphest/controller/ManiphestTransactionSaveController.php
+++ b/src/applications/maniphest/controller/ManiphestTransactionSaveController.php
@@ -147,10 +147,30 @@
$task->getSubscriberPHIDs()));
if ($added_ccs) {
- // We've added CCs, so include a CC transaction.
- $all_ccs = array_merge($task->getSubscriberPHIDs(), $added_ccs);
- $cc_transaction->setNewValue(array('=' => $all_ccs));
- $transactions[] = $cc_transaction;
+ $users = id(new PhabricatorPeopleQuery())
+ ->setViewer($user)
+ ->withPHIDs($added_ccs)
+ ->execute();
+ $users = mpull($users, null, 'getPHID');
+
+ // Check if the added_ccs have CAN_VIEW permission on the object
+ foreach ($added_ccs as $key => $added_cc) {
+ if ($task instanceof PhabricatorPolicyInterface
+ && !PhabricatorPolicyFilter::hasCapability(
+ $users[$added_cc],
+ $task,
+ PhabricatorPolicyCapability::CAN_VIEW)
+ ) {
+ unset($added_ccs[$key]);
+ }
+ }
+
+ if ($added_ccs) {
+ // We've added CCs, so include a CC transaction.
+ $all_ccs = array_merge($task->getSubscriberPHIDs(), $added_ccs);
+ $cc_transaction->setNewValue(array('=' => $all_ccs));
+ $transactions[] = $cc_transaction;
+ }
}
$comments = $request->getStr('comments');
diff --git a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
--- a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
+++ b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
@@ -1053,13 +1053,32 @@
$phids = array_diff($phids, $this->subscribers);
}
- foreach ($phids as $key => $phid) {
- if ($object->isAutomaticallySubscribed($phid)) {
- unset($phids[$key]);
+ if ($phids) {
+ $users = id(new PhabricatorPeopleQuery())
+ ->setViewer($this->getActor())
+ ->withPHIDs($phids)
+ ->execute();
+ $users = mpull($users, null, 'getPHID');
+
+ foreach ($phids as $key => $phid) {
+ // Do not subscribe mentioned users
+ // who do not have VIEW Permissions
+ if ($object instanceof PhabricatorPolicyInterface
+ && !PhabricatorPolicyFilter::hasCapability(
+ $users[$phid],
+ $object,
+ PhabricatorPolicyCapability::CAN_VIEW)
+ ) {
+ unset($phids[$key]);
+ } else {
+ if ($object->isAutomaticallySubscribed($phid)) {
+ unset($phids[$key]);
+ }
+ }
}
+ $phids = array_values($phids);
}
- $phids = array_values($phids);
-
+ // No else here to properly return null should we unset all subscriber
if (!$phids) {
return null;
}
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Fri, Mar 14, 8:11 PM (1 w, 1 d ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7669165
Default Alt Text
D11049.id26534.diff (3 KB)
Attached To
Mode
D11049: Do not CC users without permissions to view an object
Attached
Detach File
Event Timeline
Log In to Comment