Prevent awarding/revoking tokens when a task is locked

epriestley · epriestley · commit 9ccef52d6c3f · 2017-03-04T09:55:35.000-08:00
Summary: Ref T12335. Allows you to lock tasks to keep your precious tokens. Test Plan: - Awarded tokens to an unlocked task. - Locked the task. - Could no longer award/rescind tokens. Reviewers: chad Reviewed By: chad Maniphest Tasks: T12335 Differential Revision: https://secure.phabricator.com/D17461
diff --git a/src/applications/tokens/controller/PhabricatorTokenGiveController.php b/src/applications/tokens/controller/PhabricatorTokenGiveController.php
@@ -14,6 +14,24 @@ public function handleRequest(AphrontRequest $request) {
       return new Aphront404Response();
     }
 
+    $object = id(new PhabricatorObjectQuery())
+      ->setViewer($viewer)
+      ->withPHIDs(array($phid))
+      ->executeOne();
+
+    if (!($object instanceof PhabricatorTokenReceiverInterface)) {
+      return new Aphront400Response();
+    }
+
+    if (!PhabricatorPolicyFilter::canInteract($viewer, $object)) {
+      $lock = PhabricatorEditEngineLock::newForObject($viewer, $object);
+
+      $dialog = $this->newDialog()
+        ->addCancelButton($handle->getURI());
+
+      return $lock->willBlockUserInteractionWithDialog($dialog);
+    }
+
     $current = id(new PhabricatorTokenGivenQuery())
       ->setViewer($viewer)
       ->withAuthorPHIDs(array($viewer->getPHID()))
diff --git a/src/applications/tokens/event/PhabricatorTokenUIEventListener.php b/src/applications/tokens/event/PhabricatorTokenUIEventListener.php
@@ -37,6 +37,8 @@ private function handleActionEvent($event) {
       return null;
     }
 
+    $can_interact = PhabricatorPolicyFilter::canInteract($user, $object);
+
     $current = id(new PhabricatorTokenGivenQuery())
       ->setViewer($user)
       ->withAuthorPHIDs(array($user->getPHID()))
@@ -48,14 +50,17 @@ private function handleActionEvent($event) {
         ->setWorkflow(true)
         ->setHref('/token/give/'.$object->getPHID().'/')
         ->setName(pht('Award Token'))
-        ->setIcon('fa-trophy');
+        ->setIcon('fa-trophy')
+        ->setDisabled(!$can_interact);
     } else {
       $token_action = id(new PhabricatorActionView())
         ->setWorkflow(true)
         ->setHref('/token/give/'.$object->getPHID().'/')
         ->setName(pht('Rescind Token'))
-        ->setIcon('fa-trophy');
+        ->setIcon('fa-trophy')
+        ->setDisabled(!$can_interact);
     }
+
     if (!$user->isLoggedIn()) {
       $token_action->setDisabled(true);
     }
