We have a new document that describes our Security setup: https://www.mediawiki.org/wiki/Phabricator/Security
Upstream is going in the direction of assuring first that the View policy is always enforced, and only then look for exceptions. This means that members of the teams within the policy (Security...), assigned, and author will be fine, but other users CCed are considered exceptions. View policy and email notifications will be aligned, either you get both or none.
Proposed solution for CCed users in Wikimedia Phabricator:
- Only members of teams within the Edit policy can add other users in CC.
- CC users can view, receive notifications, and comment.
- CC users cannot edit the task fields and cannot CC other users.
- The View & comment permissions CC users had in Bugzilla will be respected, for the users with account in Phabricator when we update the ACLs; whoever comes after will need to be added manually.
- The right solution is to create specific projects to group users trusted in specific areas. Ideally, CCing users by their username should be the exception among the exceptions.
This is not working currently:
Short term solution:
There is a related report upstream: Adding a CC to a Maniphest Task should give View rights for that user