Page MenuHomePhabricator
Create Task
Maniphest T175072

Creating a sub-task of a security issue (via "Edit related tasks" menu) does not automatically protect the task as Security
Closed, ResolvedPublic
Actions

Description

I decided to make a sub-task of a Phabricator ticket marked as Security (T158473). To do this, I clicked on the "Edit Related Tasks..." option in the right side menu, then "Create Subtask". I did not modify the suggested subscribers or tags. When the ticket was created, it was not automatically protected as a security issue and users subscribed to the tagged projects received an email notification with the description I provided.

Screen Shot 2017-09-05 at 1.22.00 PM.png (336×330 px, 31 KB)

As I attempt to recreate this, I see 'Security' as a tag when I go through the same steps. On save, it is not protected. T175071: Test ticket — please ignore

Related Objects

Event Timeline

TBolliger created this task.Sep 5 2017, 8:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 5 2017, 8:28 PM
TBolliger renamed this task from Creating a sub-task of a security issue (via "Edit related tasks" menu) does not automatically mark the task as Security to Creating a sub-task of a security issue (via "Edit related tasks" menu) does not automatically protect the task as Security.Sep 5 2017, 8:29 PM
TBolliger mentioned this in T175071: Test ticket — please ignore.
TBolliger mentioned this in T150419: Allow users to restrict who can send them notifications.
TBolliger updated the task description. (Show Details)
Jdforrester-WMF added a project: acl*security.Sep 5 2017, 8:31 PM
Jdforrester-WMF subscribed.
Luke081515 subscribed.Sep 5 2017, 8:42 PM
Aklapper triaged this task as Low priority.Sep 5 2017, 11:10 PM
Aklapper edited projects, added Phabricator (Upstream); removed Phabricator.

To express this in implementation terms: Currently "Create Subtask" does not carry over the View or Edit policies of the parent task.
This is https://secure.phabricator.com/T12314#213245 , section "Weakness: No Custom Create Forms on Workboards or Create Subtask".

Regarding terms and expectations:
"protected" here means that a custom task view policy set to "Allow members of the project Security, allow task subscribers, and allow the task author". The Security tag is added by the configuration of the the dedicated form for security issues. Adding a Security tag to a task does not change the view policy of the task.

Restricted Application added a project: Upstream. · View Herald TranscriptSep 5 2017, 11:10 PM
mmodell subscribed.Sep 6 2017, 9:50 PM

Indeed it would be desirable to have subtasks assume the policy of their parent tasks but this does not seem possible currently, not even with a herald rule.

Aklapper lowered the priority of this task from Low to Lowest.Sep 7 2017, 1:19 PM
Bawolff moved this task from Backlog / Other to Other WMF team on the acl*security board.Dec 10 2017, 11:41 AM
Aklapper added a comment.Dec 11 2018, 8:27 PM

Worth to check again once we've deployed https://secure.phabricator.com/T12588 / https://secure.phabricator.com/T12278 in our instance.

Aklapper closed this task as Resolved.Feb 22 2019, 4:52 AM
Aklapper edited projects, added Phabricator (2019-02-20); removed Phabricator (Upstream).
In T175072#4815209, @Aklapper wrote:

Worth to check again once we've deployed https://secure.phabricator.com/T12588 / https://secure.phabricator.com/T12278 in our instance.

We've deployed Phabricator (2019-02-20) and there is now a "Choose Subtype" submenu where you can set a protection level. Hence closing this task.

chasemp added a project: Security.Feb 10 2020, 11:01 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits