Straighten out reorder permissions on form configurations

Summary: Fixes T10012. The permissions here are little weird: you need edit permission on the //configurations//, not the //engines//. I was checking edit permission on the engines only. I should possibly make this a bit more consistent, the engine edit permission is just very convenient to use to enforce object create permission right now. I'll likely clean this up after T9789. Test Plan: - Tried to reorder forms as a less-privileged user, got proper policy errors. - Reordered forms normally as a regular user. Reviewers: chad Reviewed By: chad Subscribers: Luke081515.2 Maniphest Tasks: T10012 Differential Revision: https://secure.phabricator.com/D14824
2015-12-19 06:29:48 -08:00
parent a1a8b9ba65
commit 3f8e5c9620
4 changed files with 22 additions and 8 deletions
--- a/src/applications/transactions/controller/PhabricatorEditEngineConfigurationListController.php
+++ b/src/applications/transactions/controller/PhabricatorEditEngineConfigurationListController.php
@@ -13,7 +13,8 @@ final class PhabricatorEditEngineConfigurationListController
    $engine_key = $request->getURIData('engineKey');
    $this->setEngineKey($engine_key);

-    $engine = PhabricatorEditEngine::getByKey($viewer, $engine_key);
+    $engine = PhabricatorEditEngine::getByKey($viewer, $engine_key)
+      ->setViewer($viewer);

    $items = array();
    $items[] = id(new PHUIListItemView())
@@ -23,9 +24,12 @@ final class PhabricatorEditEngineConfigurationListController
    $sort_create_uri = "/transactions/editengine/{$engine_key}/sort/create/";
    $sort_edit_uri = "/transactions/editengine/{$engine_key}/sort/edit/";

-    $can_edit = PhabricatorPolicyFilter::hasCapability(
+    $builtins = $engine->getBuiltinEngineConfigurations();
+    $builtin = head($builtins);
+
+    $can_sort = PhabricatorPolicyFilter::hasCapability(
      $viewer,
-      $engine,
+      $builtin,
      PhabricatorPolicyCapability::CAN_EDIT);

    $items[] = id(new PHUIListItemView())
@@ -33,14 +37,14 @@ final class PhabricatorEditEngineConfigurationListController
      ->setName(pht('Reorder Create Forms'))
      ->setHref($sort_create_uri)
      ->setWorkflow(true)
-      ->setDisabled(!$can_edit);
+      ->setDisabled(!$can_sort);

    $items[] = id(new PHUIListItemView())
      ->setType(PHUIListItemView::TYPE_LINK)
      ->setName(pht('Reorder Edit Forms'))
      ->setHref($sort_edit_uri)
      ->setWorkflow(true)
-      ->setDisabled(!$can_edit);
+      ->setDisabled(!$can_sort);

    return id(new PhabricatorEditEngineConfigurationSearchEngine())
      ->setController($this)