recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Don't require any special capabilities to apply a "closed a subtask" transaction to a parent task

Summary:
See PHI1059. If you close a task, we apply an "alice closed a subtask: X" transaction to its parents.

This transaction is purely informative, but currently requires `CAN_EDIT` permission after T13186. However, we'd prefer to post this transaction anyway, even if: the parent is locked; or the parent is not editable by the acting user.

Replace the implicit `CAN_EDIT` requirement with no requirement.

(This transaction is only applied internally (by closing a subtask) and can't be applied via the API or any other channel, so this doesn't let attackers spam a bunch of bogus subtask closures all over the place or anything.)

Test Plan:
- Created a parent task A with subtask B.
- Put task A into an "Edits Locked" status.
- As a user other than the owner of A, closed B.

Then:

- Before: Policy exception when trying to apply the "alice closed a subtask: B" transaction to A.
- After: B closed, A got a transaction despite being locked.

Reviewers: amckinley

Reviewed By: amckinley

Differential Revision: https://secure.phabricator.com/D20223

epriestley 75dfae10 4cc556b5

+10
+10
src/applications/maniphest/xaction/ManiphestTaskUnblockTransaction.php
··· 123 123 return parent::shouldHideForFeed(); 124 124 } 125 125 126 + public function getRequiredCapabilities( 127 + $object, 128 + PhabricatorApplicationTransaction $xaction) { 129 + 130 + // When you close a task, we want to apply this transaction to its parents 131 + // even if you can not edit (or even see) those parents, so don't require 132 + // any capabilities. See PHI1059. 133 + 134 + return null; 135 + } 126 136 }