-
epriestley authored
Summary: See PHI1059. If you close a task, we apply an "alice closed a subtask: X" transaction to its parents. This transaction is purely informative, but currently requires `CAN_EDIT` permission after T13186. However, we'd prefer to post this transaction anyway, even if: the parent is locked; or the parent is not editable by the acting user. Replace the implicit `CAN_EDIT` requirement with no requirement. (This transaction is only applied internally (by closing a subtask) and can't be applied via the API or any other channel, so this doesn't let attackers spam a bunch of bogus subtask closures all over the place or anything.) Test Plan: - Created a parent task A with subtask B. - Put task A into an "Edits Locked" status. - As a user other than the owner of A, closed B. Then: - Before: Policy exception when trying to apply the "alice closed a subtask: B" transaction to A. - After: B closed, A got a transaction despite being locked. Reviewers: amckinley Reviewed By: amckinley Differential Revision: https://secure.phabricator.com/D20223
75dfae10