Page MenuHomePhabricator

Phabricator unsubscribed me from a task?
Closed, DeclinedPublic

Description

I noticed that I'm being emailed comment streams on bugs I don't have the permissions to view. This might be considered a breakdown in access control.

Seems that I was subscribed to bug https://phabricator.wikimedia.org/T118032 at some point when it was still public, and when it went private I remained subscribed to the email feed. Currently, I cannot view the bug when logged-in to the web UI.

Event Timeline

awight created this task.Nov 18 2015, 11:34 PM
awight raised the priority of this task from to Needs Triage.
awight updated the task description. (Show Details)
awight added a project: Phabricator.
awight added a subscriber: awight.
Restricted Application added subscribers: StudiesWorld, scfc, Aklapper. · View Herald TranscriptNov 18 2015, 11:34 PM
awight triaged this task as High priority.Nov 18 2015, 11:36 PM
awight set Security to None.
awight added a project: acl*security.

https://phabricator.wikimedia.org/T118032 says that you were added to CC on Nov 06. That task lists as the very last action that "awight removed a subscriber: awight. Via Web." at 23:29 while this very task was filled at 23:34.
So it looks to me like you actually were able to access it via the web UI. Could you clarify?

I cannot access T118032 via the web UI, but I do vaguely remembering being able to access it on Nov 6, sounds right that I was trying to unsubscribe at that point.

Meanwhile, I'm getting emailed comments on that task as recently as an hour ago.

There has been no comments on the bug after the point you were unsubscribed(?)

Sorry, I was not clear in my last comment: The web UI states that you unsubscribed from the task on Nov 18, 23:29 (today).

@Aklapper
No, I didn't! Maybe that was a "feature" that fixes the permissions if a subscriber attempts to access a restricted task?

Side question: How can I search for all tasks with visibility restricted to WMF FR? I'm trying to audit...

Side question: How can I search for all tasks with visibility restricted to WMF FR? I'm trying to audit...

I don't think you can search by policy.

Thanks for looking at this!

Lemme make sure I'm being clear about my interactions with this private bug:

  • I started getting email notifications about T118032 on Nov 6, I'm not certain why.
  • After 20 emails, I browsed to the bug using the link included in a letter.
  • I never saw the bug's contents, just the "Access Denied: Restricted Task" screen.

That is all.

Has this task been private all along? Am I included in the access group or not? I'm puzzled. Please keep me informed if there is an investigation about this, cos I need to pass that information along to the Fundraising teams as we rely on these access restrictions.

Krenair closed this task as Invalid.Nov 19 2015, 1:12 AM
Krenair claimed this task.
  • I started getting email notifications about T118032 on Nov 6, I'm not certain why.

You were deliberately CC'd on the bug to check something. The policies we set on these tasks allow subscribers access.

  • After 20 emails, I browsed to the bug using the link included in a letter.
  • I never saw the bug's contents, just the "Access Denied: Restricted Task" screen.

That is all.

No, you removed yourself very shortly before creating this task. Access controls are behaving as you'd expect when you do that.

Has this task been private all along? Am I included in the access group or not?

It was private all along, you had access for a period of time until you removed yourself.

Interesting. There is definitely a bug, but it might be different than I had thought.

I've verified by my browser history that I did not unconsciously unsubscribe from the bug. All I did was attempt to visit the page, and was denied access. Perhaps this is visible if you check the response length or referred-to files in web logs.

Krenair renamed this task from Inconsistency to be aware of in Phabricator task visibility to Phabricator unsubscribed me from a task?.Nov 19 2015, 1:40 AM
Krenair reopened this task as Open.
Krenair removed Krenair as the assignee of this task.
Krenair removed a project: acl*security.

I've verified by my browser history that I did not unconsciously unsubscribe from the bug.

Well, it says you did it 'Via Web'. I imagine there's some logs that ops/phabricator-roots can check.

All I did was attempt to visit the page, and was denied access. Perhaps this is visible if you check the response length or referred-to files in web logs.

I have no doubt that you did this, but after the unsubscription (which you think you did not actually perform), right?

Also, you recognise everything on https://phabricator.wikimedia.org/settings/panel/activity/ and https://phabricator.wikimedia.org/settings/panel/sessions/ right? (The IPs there aren't particularly useful, they're just the internal cp*.eqiad.wmnet IPs since XFF is not respected)

/me pinches self

I could have done this. Turns out, my browser (FF) history actually collapses multiple visits to the same URL, so there would be no way to tell if I were going crazy or not.

@awight: I assume (hope?) you actually accessed the link and FF just tricks you, so I propose to change the task status to "declined" and reopen if this ever happens again? Would that be fine with you?

Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJan 20 2016, 1:33 PM
Aklapper lowered the priority of this task from High to Low.Jan 20 2016, 1:33 PM
Luke081515 moved this task from To Triage to Misc on the Phabricator board.Feb 4 2016, 6:19 PM
Aklapper closed this task as Declined.Feb 14 2016, 1:20 PM
Aklapper claimed this task.