There are a total of 6 security issues that I am CCd to in old-bugzilla which I can view, but if I try to browse to them in Phabricator they're broken: "Access Denied: Restricted Task"
|Resolved||chasemp||T75781 Cannot view Bugzilla migrated private/security tasks I am author/reporter of|
|Resolved||mmodell||T493 Prevent private information being leaked via Herald notifications|
|Resolved||Qgil||T76401 Short term plan for security and private tasks|
|Resolved||chasemp||T78243 Phabricator upgrade on 2015-01-14|
|Resolved||chasemp||T77976 phabricator - don't run as root|
- Mentioned In
- rPHEX3550419455ef: Huge refactor of security policy enforcer stuff.
T76008: Nonexistent change in custom policy logged when mentioning a security task
- Mentioned Here
- T493: Prevent private information being leaked via Herald notifications
T48143: Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter
T73167: Scribunto allows cross-origin leakage of data from a wiki through timing
T518: Users CCed in private tasks should be able to access them
We're going to work on solving this problem, but might not get to it this week yet (migration cleanup, Thanksgiving).
I'm sorry for the inconvenience. This was not expected and is a bug with migration. It does work for newly created tasks.
@chasemp will run a script to include authors of Bugzilla migrated private tasks in the ACL of these tasks. The View & Edit permissions reporters of private tasks had in Bugzilla will be respected for the users with account in Phabricator when we update the ACLs. Whoever comes after will need to wait until the ACL of a task they reported is updated, i.e. with a new comment.
I wonder whether this is still an issue. Users that found themselves in this situation have probably got access to the tasks by now, or can get it just by asking someone to update the task.
Understood guys. So the general consensus from the Phab team and Operations is to do a one-time fixup making bugzilla CC'd, creators, and assignee's part of the valid policy on these issues. That means that if someone shows up later to the Phabriactor party and was CC'd on a legacy issue they will need to be manually added to the policy to view it. The idea is that it is very undesirable to have the continual automated history assignment jobs constantly changing policy on legacy issues. This is a compromise for sure, but the bulk of users are here now, especially the really active ones.
So I'm poking at this and that is the plan.
I programmatically went through every imported issue from the bugzilla security product and adapted the policies to include the original author and cc'd individually if they have a current Phab account. Per Operations and Phabricator team guidelines we will _not_ be updating these policies in an ongoing fashion as it poses a whole host of risks.
However, if you reported or were cc'd in bz on an issue that was imported here you should be gtg if you moved over.