Some tests to make sure that we are not leaking private tasks through Herald notifications:
- From a user without special permissions, create personal Herald rules to receive emails and/or be CCed, Assigned, etc, for different types of activities (especially task creation, also updates), and test it with public tasks.
- Now create a private task, by defining a security level and/or by adding it to the Security project.
Your user without permissions should receive notifications for the public tasks, but not for the private ones.
Repeat the tests above for tasks that are public and go private, and viceversa, and back and forth.
Your user without permissions should receive notifications only when those tasks are in a public status, not when they are private.
We need to pay special attention to emails sent (since they may contain sensitive content even if you can't access via web) and to actions like Assigned To and CCed, since they can grant you access by adding your username to the task.
This should be resolved by this patch. The way this is achieved is as follows:
- an event listener responds to new task creation and applies a custom security policy to all secure tasks. Since events run before herald rules, the policy prevents personal herald rules from accessing the task (unless the owner of the rule can rightfully see the task, according to the policy, in which case herald should be allowed and this isn't a problem).
- a global herald rule overrides any attempt to set a secure task's policy to 'public' or 'all users'