Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F15392375
D17452.id41963.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
5 KB
Referenced Files
None
Subscribers
None
D17452.id41963.diff
View Options
diff --git a/src/applications/differential/xaction/DifferentialRevisionActionTransaction.php b/src/applications/differential/xaction/DifferentialRevisionActionTransaction.php
--- a/src/applications/differential/xaction/DifferentialRevisionActionTransaction.php
+++ b/src/applications/differential/xaction/DifferentialRevisionActionTransaction.php
@@ -74,9 +74,15 @@
DifferentialRevision $revision,
PhabricatorUser $viewer) {
+ // Actions in the "review" group, like "Accept Revision", do not require
+ // that the actor be able to edit the revision.
+ $group_review = DifferentialRevisionEditEngine::ACTIONGROUP_REVIEW;
+ $is_review = ($this->getRevisionActionGroupKey() == $group_review);
+
$field = id(new PhabricatorApplyEditField())
->setKey($this->getRevisionActionKey())
->setTransactionType($this->getTransactionTypeConstant())
+ ->setCanApplyWithoutEditCapability($is_review)
->setValue(true);
if ($this->isActionAvailable($revision, $viewer)) {
diff --git a/src/applications/diffusion/xaction/DiffusionCommitActionTransaction.php b/src/applications/diffusion/xaction/DiffusionCommitActionTransaction.php
--- a/src/applications/diffusion/xaction/DiffusionCommitActionTransaction.php
+++ b/src/applications/diffusion/xaction/DiffusionCommitActionTransaction.php
@@ -70,9 +70,15 @@
PhabricatorRepositoryCommit $commit,
PhabricatorUser $viewer) {
+ // Actions in the "audit" group, like "Accept Commit", do not require
+ // that the actor be able to edit the commit.
+ $group_audit = DiffusionCommitEditEngine::ACTIONGROUP_AUDIT;
+ $is_audit = ($this->getCommitActionGroupKey() == $group_audit);
+
$field = id(new PhabricatorApplyEditField())
->setKey($this->getCommitActionKey())
->setTransactionType($this->getTransactionTypeConstant())
+ ->setCanApplyWithoutEditCapability($is_audit)
->setValue(true);
if ($this->isActionAvailable($commit, $viewer)) {
diff --git a/src/applications/transactions/editengine/PhabricatorEditEngine.php b/src/applications/transactions/editengine/PhabricatorEditEngine.php
--- a/src/applications/transactions/editengine/PhabricatorEditEngine.php
+++ b/src/applications/transactions/editengine/PhabricatorEditEngine.php
@@ -1586,12 +1586,23 @@
$fields = $this->buildEditFields($object);
+ $can_edit = PhabricatorPolicyFilter::hasCapability(
+ $viewer,
+ $object,
+ PhabricatorPolicyCapability::CAN_EDIT);
+
$comment_actions = array();
foreach ($fields as $field) {
if (!$field->shouldGenerateTransactionsFromComment()) {
continue;
}
+ if (!$can_edit) {
+ if (!$field->getCanApplyWithoutEditCapability()) {
+ continue;
+ }
+ }
+
$comment_action = $field->getCommentAction();
if (!$comment_action) {
continue;
@@ -1812,6 +1823,11 @@
$xactions = array();
+ $can_edit = PhabricatorPolicyFilter::hasCapability(
+ $viewer,
+ $object,
+ PhabricatorPolicyCapability::CAN_EDIT);
+
if ($actions) {
$action_map = array();
foreach ($actions as $action) {
@@ -1834,6 +1850,21 @@
continue;
}
+ // If you don't have edit permission on the object, you're limited in
+ // which actions you can take via the comment form. Most actions
+ // need edit permission, but some actions (like "Accept Revision")
+ // can be applied by anyone with view permission.
+ if (!$can_edit) {
+ if (!$field->getCanApplyWithoutEditCapability()) {
+ // We know the user doesn't have the capability, so this will
+ // raise a policy exception.
+ PhabricatorPolicyFilter::requireCapability(
+ $viewer,
+ $object,
+ PhabricatorPolicyCapability::CAN_EDIT);
+ }
+ }
+
if (array_key_exists('initialValue', $action)) {
$field->setInitialValue($action['initialValue']);
}
diff --git a/src/applications/transactions/editfield/PhabricatorEditField.php b/src/applications/transactions/editfield/PhabricatorEditField.php
--- a/src/applications/transactions/editfield/PhabricatorEditField.php
+++ b/src/applications/transactions/editfield/PhabricatorEditField.php
@@ -36,6 +36,7 @@
private $isEditDefaults;
private $isSubmittedForm;
private $controlError;
+ private $canApplyWithoutEditCapability = false;
private $isReorderable = true;
private $isDefaultable = true;
@@ -292,6 +293,15 @@
return $this->controlInstructions;
}
+ public function setCanApplyWithoutEditCapability($can_apply) {
+ $this->canApplyWithoutEditCapability = $can_apply;
+ return $this;
+ }
+
+ public function getCanApplyWithoutEditCapability() {
+ return $this->canApplyWithoutEditCapability;
+ }
+
protected function newControl() {
throw new PhutilMethodNotImplementedException();
}
diff --git a/src/applications/transactions/engineextension/PhabricatorCommentEditEngineExtension.php b/src/applications/transactions/engineextension/PhabricatorCommentEditEngineExtension.php
--- a/src/applications/transactions/engineextension/PhabricatorCommentEditEngineExtension.php
+++ b/src/applications/transactions/engineextension/PhabricatorCommentEditEngineExtension.php
@@ -39,6 +39,10 @@
$comment_type = PhabricatorTransactions::TYPE_COMMENT;
+ // Comments have a lot of special behavior which doesn't always check
+ // this flag, but we set it for consistency.
+ $is_interact = true;
+
$comment_field = id(new PhabricatorCommentEditField())
->setKey(self::EDITKEY)
->setLabel(pht('Comments'))
@@ -47,6 +51,7 @@
->setIsReorderable(false)
->setIsDefaultable(false)
->setIsLockable(false)
+ ->setCanApplyWithoutEditCapability($is_interact)
->setTransactionType($comment_type)
->setConduitDescription(pht('Make comments.'))
->setConduitTypeDescription(
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Sun, Mar 16, 2:50 PM (5 d, 8 h ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7441849
Default Alt Text
D17452.id41963.diff (5 KB)
Attached To
Mode
D17452: Prevent users from taking "edit"-like actions via comment forms if they don't have edit permission
Attached
Detach File
Event Timeline
Log In to Comment