Hi, I just realized acl*blog-admins is joinable by the world, even the join policy is set to project members. That's because "Users who can edit a project can always join it.", and the edit policy is set to "All users".
I don't think this is intended, as @mmodell changed the join policy from "All Users" to "Project Members" in 2019.
I went through https://phabricator.wikimedia.org/project/query/RsRRcy77yMW5/#R looking for (non- acl*security subprojects) ACLs that I could join. Other groups that appear joinable by the world:
acl*release_security_pre_announce and acl*wmcs-team (I've joined both of those too to verify, feel free to remove me from them)
it seems that the "joinable by: project memebers" no longer restricts people from joining as it once did.
Actually I think I could only join acl*wmcs-team because the custom edit policy is members of acl*wmcs-team or acl*Project-Admins, which I am a member of. So its not joinable by everyone, but it still should probably be restricted to not include project-admins
Ok it should be all fixed up. Policy-Admins is the group of people who should be able to edit acl* projects.
Thanks - it looks like I can rejoin acl*release_security_pre_announce based on having security access. Should editing be restricted to the security team only?
Correctly unable to rejoin acl*wmcs-team
I'm still a member of acl*blog-admins if you want to remove me
AFAIK, this is not currently used for anything, so it should be fairly low risk, regardless. That said, the Security-Team is planning to work on an initial rollout of the process related to this acl soon, so it would be good to have this functioning properly, i.e. all users should not be able to join.
Thanks for finding this, and thanks everyone for the analysis and quick action!
Not sure the following meta comment deserves a dedicated task (plus I'd be unsure which permissions to set), so adding it here as yet another comment (sorry):
It's not the first time that I'm unhappy about the lack of an audit UI within Phab which would allow listing view policies and edit policies of projects, based on some search criteria. Phabricator's custom policy concepts and our potential per-project configuration inconsistencies might bite us again in the future, given Wikimedia's concept of being open whenever possible versus avoiding unauthorized access or vandalism in Phab (cf. T84).
Given there's no UI, I'd like to be able to query non-default view and edit policy permissions among existing Phab projects and be able to review. I cooked up https://gerrit.wikimedia.org/r/c/operations/puppet/+/657692 as the first step (DB access; second step will be writing and running SQL queries). Review welcome.
I took the liberty to create T272654: Grant phstats user SELECT rights for phabricator_policy database, so the DBA team that would probably be the best to review and merge can notice, I don't think they watch Phabricator :). I created it as a public task, considering it doesn't reveal the context (and also this is fixed now, so it probably should be published anyway).