Page MenuHomePhabricator

D11049.id26534.diff
No OneTemporary

D11049.id26534.diff

diff --git a/src/applications/maniphest/controller/ManiphestTransactionSaveController.php b/src/applications/maniphest/controller/ManiphestTransactionSaveController.php
--- a/src/applications/maniphest/controller/ManiphestTransactionSaveController.php
+++ b/src/applications/maniphest/controller/ManiphestTransactionSaveController.php
@@ -147,10 +147,30 @@
$task->getSubscriberPHIDs()));
if ($added_ccs) {
- // We've added CCs, so include a CC transaction.
- $all_ccs = array_merge($task->getSubscriberPHIDs(), $added_ccs);
- $cc_transaction->setNewValue(array('=' => $all_ccs));
- $transactions[] = $cc_transaction;
+ $users = id(new PhabricatorPeopleQuery())
+ ->setViewer($user)
+ ->withPHIDs($added_ccs)
+ ->execute();
+ $users = mpull($users, null, 'getPHID');
+
+ // Check if the added_ccs have CAN_VIEW permission on the object
+ foreach ($added_ccs as $key => $added_cc) {
+ if ($task instanceof PhabricatorPolicyInterface
+ && !PhabricatorPolicyFilter::hasCapability(
+ $users[$added_cc],
+ $task,
+ PhabricatorPolicyCapability::CAN_VIEW)
+ ) {
+ unset($added_ccs[$key]);
+ }
+ }
+
+ if ($added_ccs) {
+ // We've added CCs, so include a CC transaction.
+ $all_ccs = array_merge($task->getSubscriberPHIDs(), $added_ccs);
+ $cc_transaction->setNewValue(array('=' => $all_ccs));
+ $transactions[] = $cc_transaction;
+ }
}
$comments = $request->getStr('comments');
diff --git a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
--- a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
+++ b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
@@ -1053,13 +1053,32 @@
$phids = array_diff($phids, $this->subscribers);
}
- foreach ($phids as $key => $phid) {
- if ($object->isAutomaticallySubscribed($phid)) {
- unset($phids[$key]);
+ if ($phids) {
+ $users = id(new PhabricatorPeopleQuery())
+ ->setViewer($this->getActor())
+ ->withPHIDs($phids)
+ ->execute();
+ $users = mpull($users, null, 'getPHID');
+
+ foreach ($phids as $key => $phid) {
+ // Do not subscribe mentioned users
+ // who do not have VIEW Permissions
+ if ($object instanceof PhabricatorPolicyInterface
+ && !PhabricatorPolicyFilter::hasCapability(
+ $users[$phid],
+ $object,
+ PhabricatorPolicyCapability::CAN_VIEW)
+ ) {
+ unset($phids[$key]);
+ } else {
+ if ($object->isAutomaticallySubscribed($phid)) {
+ unset($phids[$key]);
+ }
+ }
}
+ $phids = array_values($phids);
}
- $phids = array_values($phids);
-
+ // No else here to properly return null should we unset all subscriber
if (!$phids) {
return null;
}

File Metadata

Mime Type
text/plain
Expires
Fri, Mar 14, 8:11 PM (4 d, 11 h ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7669165
Default Alt Text
D11049.id26534.diff (3 KB)

Event Timeline