@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Add hard stops on empty batch edit sets
Summary:
Ref T8637. If a user tries to batch edit a list of tasks which can't be edited, we fall through to `withIDs(array())`, which can affect //everything//.
Explicitly stop batch editing if we don't have valid IDs or valid tasks.
The UI sort-of warns you that something is wrong, but this is ultimately a pretty severe UX issue. I'll fix the underlying Query in the next diff.
Test Plan: Tried to batch edit a list of tasks I didn't have permission to edit.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: lloyd.oliver, epriestley
Maniphest Tasks: T8637
Differential Revision: https://secure.phabricator.com/D13388
+12
+12
src/applications/maniphest/controller/ManiphestBatchEditController.php
+12
src/applications/maniphest/controller/ManiphestBatchEditController.php
···
25
25
$task_ids = $request->getStrList('batch');
26
26
}
27
27
28
+
if (!$task_ids) {
29
+
throw new Exception(
30
+
pht(
31
+
'No tasks are selected.'));
32
+
}
33
+
28
34
$tasks = id(new ManiphestTaskQuery())
29
35
->setViewer($viewer)
30
36
->withIDs($task_ids)
···
36
42
->needSubscriberPHIDs(true)
37
43
->needProjectPHIDs(true)
38
44
->execute();
45
+
46
+
if (!$tasks) {
47
+
throw new Exception(
48
+
pht(
49
+
"You don't have permission to edit any of the selected tasks."));
50
+
}
39
51
40
52
if ($project) {
41
53
$cancel_uri = '/project/board/'.$project->getID().'/';