Stop requiring CAN_EDIT to reach the TransactionEditor via "*.edit" in…
cd8b5b82c860
Actions

Description

Stop requiring CAN_EDIT to reach the TransactionEditor via "*.edit" in EditEngine

Summary:
Depends on D19607. Ref T13189. See PHI642. Ref T13186.

Some transactions can sometimes be applied to objects you can not edit. Currently, using *.edit to edit an object always explicitly requires CAN_EDIT.

Now that individual transactions require CAN_EDIT by default and can reduce or replace this requirement, stop requiring CAN_EDIT to reach the editor.

The only expected effect of this change is that low-permission edits (like disabling a user, leaving a project, or leaving a thread) can now work via *.edit.

Test Plan:

Tried to perform a normal edit (changing a task title) against an object with no CAN_EDIT. Still got a permissions error.
As a non-admin, disabled other users while holding the "Can Disable Users" permission.
As a non-admin, got a permissions error while trying to disable other users while not holding the "Can Disable Users" permission.

Reviewers: amckinley

Maniphest Tasks: T13189, T13186

Differential Revision: https://secure.phabricator.com/D19608

Details

Provenance

epriestley	Authored on Aug 27 2018, 10:52 AM
sirocyl	Pushed on Oct 16 2024, 5:49 AM

Parents

R1:f9192d07f2c7: Align web UI "Disable" and "Approve/Disapprove" flows with new "Can Disable…

Branches

Unknown

Tags

Unknown

Event Timeline

Changes (1)

Path

Size

src/

applications/

transactions/

editengine/

PhabricatorEditEngine.php

R1:cd8b5b82c860

View Options

src/applications/transactions/editengine/PhabricatorEditEngine.php