Differential D7751 Diff 17565 src/applications/phragment/controller/PhragmentSnapshotPromoteController.php
Changeset View
Changeset View
Standalone View
Standalone View
src/applications/phragment/controller/PhragmentSnapshotPromoteController.php
Show All 17 Lines | public function processRequest() { | ||||
$request = $this->getRequest(); | $request = $this->getRequest(); | ||||
$viewer = $request->getUser(); | $viewer = $request->getUser(); | ||||
// When the user is promoting a snapshot to the latest version, the | // When the user is promoting a snapshot to the latest version, the | ||||
// identifier is a fragment path. | // identifier is a fragment path. | ||||
if ($this->dblob !== null) { | if ($this->dblob !== null) { | ||||
$this->targetFragment = id(new PhragmentFragmentQuery()) | $this->targetFragment = id(new PhragmentFragmentQuery()) | ||||
->setViewer($viewer) | ->setViewer($viewer) | ||||
->requireCapabilities(array( | |||||
PhabricatorPolicyCapability::CAN_VIEW, | |||||
PhabricatorPolicyCapability::CAN_EDIT)) | |||||
->withPaths(array($this->dblob)) | ->withPaths(array($this->dblob)) | ||||
->executeOne(); | ->executeOne(); | ||||
if ($this->targetFragment === null) { | if ($this->targetFragment === null) { | ||||
return new Aphront404Response(); | return new Aphront404Response(); | ||||
} | } | ||||
$this->snapshots = id(new PhragmentSnapshotQuery()) | $this->snapshots = id(new PhragmentSnapshotQuery()) | ||||
->setViewer($viewer) | ->setViewer($viewer) | ||||
->withPrimaryFragmentPHIDs(array($this->targetFragment->getPHID())) | ->withPrimaryFragmentPHIDs(array($this->targetFragment->getPHID())) | ||||
->execute(); | ->execute(); | ||||
} | } | ||||
// When the user is promoting a snapshot to another snapshot, the | // When the user is promoting a snapshot to another snapshot, the | ||||
// identifier is another snapshot ID. | // identifier is another snapshot ID. | ||||
if ($this->id !== null) { | if ($this->id !== null) { | ||||
$this->targetSnapshot = id(new PhragmentSnapshotQuery()) | $this->targetSnapshot = id(new PhragmentSnapshotQuery()) | ||||
->setViewer($viewer) | ->setViewer($viewer) | ||||
->requireCapabilities(array( | |||||
PhabricatorPolicyCapability::CAN_VIEW, | |||||
PhabricatorPolicyCapability::CAN_EDIT)) | |||||
->withIDs(array($this->id)) | ->withIDs(array($this->id)) | ||||
->executeOne(); | ->executeOne(); | ||||
if ($this->targetSnapshot === null) { | if ($this->targetSnapshot === null) { | ||||
return new Aphront404Response(); | return new Aphront404Response(); | ||||
} | } | ||||
$this->snapshots = id(new PhragmentSnapshotQuery()) | $this->snapshots = id(new PhragmentSnapshotQuery()) | ||||
->setViewer($viewer) | ->setViewer($viewer) | ||||
->withPrimaryFragmentPHIDs(array( | ->withPrimaryFragmentPHIDs(array( | ||||
$this->targetSnapshot->getPrimaryFragmentPHID())) | $this->targetSnapshot->getPrimaryFragmentPHID())) | ||||
epriestley: Prefer to use `requireCapabilities(VIEW, EDIT)` when querying over explicit checks, if you can. | |||||
->execute(); | ->execute(); | ||||
} | } | ||||
// If there's no identifier, just 404. | // If there's no identifier, just 404. | ||||
if ($this->snapshots === null) { | if ($this->snapshots === null) { | ||||
return new Aphront404Response(); | return new Aphront404Response(); | ||||
} | } | ||||
▲ Show 20 Lines • Show All 75 Lines • ▼ Show 20 Lines | if ($request->isDialogFormPost()) { | ||||
->setSnapshotPHID($snapshot->getPHID()) | ->setSnapshotPHID($snapshot->getPHID()) | ||||
->setFragmentPHID($child->getFragmentPHID()) | ->setFragmentPHID($child->getFragmentPHID()) | ||||
->setFragmentVersionPHID($child->getFragmentVersionPHID()) | ->setFragmentVersionPHID($child->getFragmentVersionPHID()) | ||||
->save(); | ->save(); | ||||
} | } | ||||
} | } | ||||
$snapshot->saveTransaction(); | $snapshot->saveTransaction(); | ||||
return id(new AphrontRedirectResponse()); | if ($this->id === null) { | ||||
return id(new AphrontRedirectResponse()) | |||||
->setURI($this->targetFragment->getURI()); | |||||
} else { | |||||
return id(new AphrontRedirectResponse()) | |||||
->setURI($this->targetSnapshot->getURI()); | |||||
} | |||||
} | } | ||||
return $this->createDialog(); | return $this->createDialog(); | ||||
} | } | ||||
function createDialog() { | function createDialog() { | ||||
$request = $this->getRequest(); | $request = $this->getRequest(); | ||||
$viewer = $request->getUser(); | $viewer = $request->getUser(); | ||||
Show All 28 Lines |
Prefer to use requireCapabilities(VIEW, EDIT) when querying over explicit checks, if you can. This is a stronger behavior because we never even get objects which we don't have authority to act on, so it's more difficult to make mistakes.