Page MenuHomePhabricator

Cannot view Bugzilla migrated private/security tasks I am author/reporter of
Closed, ResolvedPublic

Description

There are a total of 6 security issues that I am CCd to in old-bugzilla which I can view, but if I try to browse to them in Phabricator they're broken: "Access Denied: Restricted Task"

Event Timeline

Krenair created this task.Nov 24 2014, 7:57 PM
Krenair raised the priority of this task from to Needs Triage.
Krenair updated the task description. (Show Details)
Krenair changed Security from none to None.
Krenair updated the task description. (Show Details)
Krenair added a project: Phabricator.
Krenair added a subscriber: Krenair.

I should note this is not quite T518 - I reported one of the tickets, was not just CC'd.

Aklapper renamed this task from Cannot view private tasks I am subscribed to to Cannot view private/security tasks I am author/reporter of.Nov 24 2014, 8:37 PM
Aklapper added a subscriber: Aklapper.

I've changed the summary to specifically make this about being the author. T518 is already about CC list.

We're going to work on solving this problem, but might not get to it this week yet (migration cleanup, Thanksgiving).
I'm sorry for the inconvenience. This was not expected and is a bug with migration. It does work for newly created tasks.

Qgil triaged this task as Normal priority.Nov 25 2014, 8:09 AM
Qgil added a subscriber: Qgil.
Qgil renamed this task from Cannot view private/security tasks I am author/reporter of to Cannot view Bugzilla migrated private/security tasks I am author/reporter of.Nov 26 2014, 8:18 AM

This not only affects security tasks but also files attached to those tasks. For example, I cannot access F14893, referenced in the description of T73167, even though I now have access to the task.

This not only affects security tasks but also files attached to those tasks. For example, I cannot access F14893, referenced in the description of T73167, even though I now have access to the task.

It's also worth noting in this case that the file is one I had uploaded. Obviously, Phabricator does not think so, as "The user who uploaded a file can always view and edit it."

Qgil added a subscriber: chasemp.Dec 4 2014, 9:01 AM

See our current plan at https://www.mediawiki.org/wiki/Phabricator/Security#Cannot_view_Bugzilla_migrated_private.2Fsecurity_tasks_I_am_author.2Freporter_of

@chasemp will run a script to include authors of Bugzilla migrated private tasks in the ACL of these tasks. The View & Edit permissions reporters of private tasks had in Bugzilla will be respected for the users with account in Phabricator when we update the ACLs. Whoever comes after will need to wait until the ACL of a task they reported is updated, i.e. with a new comment.

It seems that tasks imported from Bugzilla still have @bzimport in the ACL, even though they have the correct user in subscribers' list. Making any action on the task will cause Herald to work its magic and fix the ACL.

Qgil added a comment.Dec 29 2014, 12:49 PM

I wonder whether this is still an issue. Users that found themselves in this situation have probably got access to the tasks by now, or can get it just by asking someone to update the task.

Still waiting for T51169, T51741, T53818, T64866 which I can view in Bugzilla due to being CC'd. Only two others have appeared to me.

chasemp claimed this task.Dec 30 2014, 7:44 PM

I can't see T47343 T48143 T47837. I can see T59040.

Understood guys. So the general consensus from the Phab team and Operations is to do a one-time fixup making bugzilla CC'd, creators, and assignee's part of the valid policy on these issues. That means that if someone shows up later to the Phabriactor party and was CC'd on a legacy issue they will need to be manually added to the policy to view it. The idea is that it is very undesirable to have the continual automated history assignment jobs constantly changing policy on legacy issues. This is a compromise for sure, but the bulk of users are here now, especially the really active ones.

So I'm poking at this and that is the plan.

I can't see T47343 T48143 T47837. I can see T59040.

A few of these must have been manually fixed after you noted this?

did some testing and I believe I can fixup the ACL's but when I do so it gets reverted since the security extension right now is heavy handed with ACL possibilities. So T493 is a blocker for this.

chasemp closed this task as Resolved.Jan 14 2015, 7:26 PM

I programmatically went through every imported issue from the bugzilla security product and adapted the policies to include the original author and cc'd individually if they have a current Phab account. Per Operations and Phabricator team guidelines we will _not_ be updating these policies in an ongoing fashion as it poses a whole host of risks.

However, if you reported or were cc'd in bz on an issue that was imported here you should be gtg if you moved over.