Page MenuHomePhabricator
Paste P1933


Authored by epriestley on Jan 28 2016, 6:06 PM.
Referenced Files
F1079091: WMFLockTaskController.php
Jan 28 2016, 6:06 PM
final class WMFLockTaskController extends PhabricatorController {
public function handleRequest(AphrontRequest $request) {
$viewer = $this->getViewer();
$id = $request->getURIData('id');
$task = id(new ManiphestTaskQuery())
if (!$task) {
return new Aphront404Response();
$task_uri = '/'.$task->getMonogram();
// See "WMFLockTaskEventListener" for notes.
$is_locked = false;
$can_lock = $viewer->isLoggedIn();
// Task is already locked, show a "this is already locked" dialog.
if ($is_locked) {
return $this->newDialog()
->setTitle(pht('Already Locked'))
'This task is already locked as a security issue. To disclose '.
'it, adjust policies explicitly.'))
// Task can't be locked by the acting user, show a "you can't do this"
// dialog.
if (!$can_lock) {
return $this->newDialog()
->setTitle(pht('No Permission'))
'You do not have permission to lock tasks as security issues. '.
'Only users A, B, C, or whatever can do this. Ask one of them '.
'nicely if you need this to be locked.'))
// User submitted the form, so lock the task.
if ($request->isFormPost()) {
$comment_text = $request->getStr('comments');
$template = $task->getApplicationTransactionTemplate();
$comment_template = $template->getApplicationTransactionCommentObject();
$xactions = array();
$xactions[] = id(clone $template)
id(clone $comment_template)
// IMPORTANT: Apply additional transactions here to actually lock the
// task! I'm just changing the title as an example.
$xactions[] = id(clone $template)
->setNewValue('[LOCKED!] '.$task->getTitle());
// NOTE: This uses the omnipotent viewer to force the edit through, even
// if the user can not otherwise edit the task. We still act as the user,
// so transactions will render normally.
$omnipotent_user = PhabricatorUser::getOmnipotentUser();
$editor = id(new ManiphestTransactionEditor())
$editor->applyTransactions($task, $xactions);
// This may bring the user to a policy exception if they can no longer
// see the task.
return id(new AphrontRedirectResponse())
// By default, show a "lock" form.
$form = id(new AphrontFormView())
'(IMPORTANT) Submitting this form will lock the task so that only '.
'the security team and original author can see it. You may not be '.
'able to see the task after the lock is applied.'))
id(new AphrontFormTextAreaControl())
return $this->newDialog()
->setTitle(pht('Lock Task'))
->addSubmitButton(pht('Lock Task'));