recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

When moving an object between workboard columns, require object edit permission

Summary:
Fixes T5204. Currently, to move an object (like a task) between columns on a workboard, you must be able to edit the project.

This doesn't map very well to real usage. Instead, require users be able to edit the object (e.g., the task).

(You still need to be able to edit the project to create columns, edit columns, etc.)

Test Plan: Moved stuff around on a project I could not edit.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T5204

Differential Revision: https://secure.phabricator.com/D9720

epriestley aedb694a fe4dcd40

+10 -6
+10 -6
src/applications/project/controller/PhabricatorProjectMoveController.php
··· 23 23 ->requireCapabilities( 24 24 array( 25 25 PhabricatorPolicyCapability::CAN_VIEW, 26 - PhabricatorPolicyCapability::CAN_EDIT, 27 26 )) 28 27 ->withIDs(array($this->id)) 29 28 ->executeOne(); 30 29 if (!$project) { 31 30 return new Aphront404Response(); 32 31 } 33 - 34 - // NOTE: I'm not requiring EDIT on the object for now, since we require 35 - // EDIT on the project anyway and this relationship is more owned by the 36 - // project than the object. Maybe this is worth revisiting eventually. 37 32 38 33 $object = id(new PhabricatorObjectQuery()) 39 34 ->setViewer($viewer) 40 35 ->withPHIDs(array($object_phid)) 36 + ->requireCapabilities( 37 + array( 38 + PhabricatorPolicyCapability::CAN_VIEW, 39 + PhabricatorPolicyCapability::CAN_EDIT, 40 + )) 41 41 ->executeOne(); 42 42 43 43 if (!$object) { ··· 90 90 $tasks = id(new ManiphestTaskQuery()) 91 91 ->setViewer($viewer) 92 92 ->withPHIDs($task_phids) 93 - ->requireCapabilities(array(PhabricatorPolicyCapability::CAN_EDIT)) 93 + ->requireCapabilities( 94 + array( 95 + PhabricatorPolicyCapability::CAN_VIEW, 96 + PhabricatorPolicyCapability::CAN_EDIT, 97 + )) 94 98 ->execute(); 95 99 if (count($tasks) != count($task_phids)) { 96 100 return new Aphront404Response();