HomePhabricator
Diffusion Phabricator 0a0ac1302f02

Prevent users from taking "edit"-like actions via comment forms if they don't…
0a0ac1302f02
Actions

Description

Prevent users from taking "edit"-like actions via comment forms if they don't have edit permission

Summary:
Ref T12335. Fixes T11207. Edit-like interactions which are not performed via "Edit <object>" are a bit of a grey area, policy-wise.

For example, you can correctly do these things to an object you can't edit:

  • Comment on it.
  • Award tokens.
  • Subscribe or unsubscribe.
  • Subscribe other users by mentioning them.
  • Perform review.
  • Perform audit.
  • (Maybe some other stuff.)

These behaviors are all desirable and correct. But, particularly now that we offer stacked actions, you can do a bunch of other stuff which you shouldn't really be able to, like changing the status and priority of tasks you can't edit, as long as you submit the change via the comment form.

(Before the advent of stacked actions there were fewer things you could do via the comment form, and more of them were very "grey area", especially since "Change Subscribers" was just "Add Subscribers", which you can do via mentions.)

This isn't too much of a problem in practice because we won't show you those actions if the edit form you'd end up on doesn't have those fields. So on intalls like ours where we've created simple + advanced flows, users who shouldn't be changing task priorities generally don't see an option to do so, even though they technically could if they mucked with the HTML.

Change this behavior to be more strict: unless an action explicitly says that it doesn't need edit permission (comment, review, audit) don't show it to users who don't have edit permission and don't let them take the action.

Test Plan:

  • As a user who could not edit a task, tried to change status via comment form; received policy exception.
  • As a user who could not edit a task, viewed a comment form: no actions available (just "comment").
  • As a user who could not edit a revision, viewed a revision form: only "review" actions available (accept, resign, etc).
  • Viewed a commit form but these are kind of moot because there's no separate edit permission.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T12335, T11207

Differential Revision: https://secure.phabricator.com/D17452

Details

Provenance
epriestleyAuthored on Mar 2 2017, 8:05 PM
epriestleyPushed on Mar 3 2017, 12:56 AM
Reviewer
chad
Differential Revision
D17452: Prevent users from taking "edit"-like actions via comment forms if they don't have edit permission
Parents
rP08b18ac5f5b4: Remove needBadges from PhabricatorUser
Branches
Unknown
Tags
Unknown
Tasks
T12335: Ability to lock a task to prevent further edits
T11207: User can change properties on the task, even when not having edit policy rights
Build Status
Buildable 15870
Build 21003: Run Core Tests

Changes (5)

PathSize
src/
applications/
differential/
xaction/
diffusion/
xaction/
transactions/
editengine/
editfield/
engineextension/

rP0a0ac1302f02

View Options

src/applications/differential/xaction/DifferentialRevisionActionTransaction.php

Loading...
View Options

src/applications/diffusion/xaction/DiffusionCommitActionTransaction.php

Loading...
View Options

src/applications/transactions/editengine/PhabricatorEditEngine.php

Loading...
View Options

src/applications/transactions/editfield/PhabricatorEditField.php

Loading...
View Options

src/applications/transactions/engineextension/PhabricatorCommentEditEngineExtension.php

Loading...
Phabricator · Built by Phacility