recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Clean up "reorder" permissions in MenuEngine for personal favorites

Summary:
Fixes T12159. This is similar to D17228, which fixed this for the main configuration operation.

Most other edit operations only test for edit capability on the MenuItem itself, which we already do correctly. However, because reordering affects all items, we test for capability on the object.

Weaken this when reordering custom items.

Test Plan: Reordered custom items in Favorites as a non-administrator.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T12159

Differential Revision: https://secure.phabricator.com/D17257

epriestley 9829ecdd bee043b1

+28 -4
+28 -4
src/applications/search/engine/PhabricatorProfileMenuEngine.php
··· 497 497 $viewer = $this->getViewer(); 498 498 $object = $this->getProfileObject(); 499 499 500 - PhabricatorPolicyFilter::requireCapability( 501 - $viewer, 502 - $object, 503 - PhabricatorPolicyCapability::CAN_EDIT); 500 + // If you're reordering global items, you need to be able to edit the 501 + // object the menu appears on. If you're reordering custom items, you only 502 + // need to be able to edit the custom object. Currently, the custom object 503 + // is always the viewing user's own user object. 504 + $custom_phid = $this->getCustomPHID(); 505 + if (!$custom_phid) { 506 + PhabricatorPolicyFilter::requireCapability( 507 + $viewer, 508 + $object, 509 + PhabricatorPolicyCapability::CAN_EDIT); 510 + } else { 511 + $policy_object = id(new PhabricatorObjectQuery()) 512 + ->setViewer($viewer) 513 + ->withPHIDs(array($custom_phid)) 514 + ->executeOne(); 515 + 516 + if (!$policy_object) { 517 + throw new Exception( 518 + pht( 519 + 'Failed to load custom PHID "%s"!', 520 + $custom_phid)); 521 + } 522 + 523 + PhabricatorPolicyFilter::requireCapability( 524 + $viewer, 525 + $policy_object, 526 + PhabricatorPolicyCapability::CAN_EDIT); 527 + } 504 528 505 529 $controller = $this->getController(); 506 530 $request = $controller->getRequest();