Page MenuHomePhabricator

Creating a sub-task of a security issue (via "Edit related tasks" menu) does not automatically protect the task as Security
Closed, ResolvedPublic

Description

I decided to make a sub-task of a Phabricator ticket marked as Security (T158473). To do this, I clicked on the "Edit Related Tasks..." option in the right side menu, then "Create Subtask". I did not modify the suggested subscribers or tags. When the ticket was created, it was not automatically protected as a security issue and users subscribed to the tagged projects received an email notification with the description I provided.

As I attempt to recreate this, I see 'Security' as a tag when I go through the same steps. On save, it is not protected. T175071: Test ticket — please ignore

Event Timeline

TBolliger renamed this task from Creating a sub-task of a security issue (via "Edit related tasks" menu) does not automatically mark the task as Security to Creating a sub-task of a security issue (via "Edit related tasks" menu) does not automatically protect the task as Security.Sep 5 2017, 8:29 PM
TBolliger updated the task description. (Show Details)
Aklapper edited projects, added Phabricator (Upstream); removed Phabricator.

To express this in implementation terms: Currently "Create Subtask" does not carry over the View or Edit policies of the parent task.
This is https://secure.phabricator.com/T12314#213245 , section "Weakness: No Custom Create Forms on Workboards or Create Subtask".

Regarding terms and expectations:
"protected" here means that a custom task view policy set to "Allow members of the project Security, allow task subscribers, and allow the task author". The Security tag is added by the configuration of the the dedicated form for security issues. Adding a Security tag to a task does not change the view policy of the task.

Indeed it would be desirable to have subtasks assume the policy of their parent tasks but this does not seem possible currently, not even with a herald rule.

Aklapper lowered the priority of this task from Low to Lowest.Sep 7 2017, 1:19 PM

Worth to check again once we've deployed https://secure.phabricator.com/T12588 / https://secure.phabricator.com/T12278 in our instance.

We've deployed Phabricator (2019-02-20) and there is now a "Choose Subtype" submenu where you can set a protection level. Hence closing this task.