There are a total of 6 security issues that I am CCd to in old-bugzilla which I can view, but if I try to browse to them in Phabricator they're broken: "Access Denied: Restricted Task"
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | • chasemp | T75781 Cannot view Bugzilla migrated private/security tasks I am author/reporter of | |||
| Resolved | • mmodell | T493 Prevent private information being leaked via Herald notifications | |||
| Resolved | Qgil | T76401 Short term plan for security and private tasks | |||
| Resolved | • chasemp | T78243 Phabricator upgrade on 2015-01-14 | |||
| Resolved | • chasemp | T77976 phabricator - don't run as root |
Event Timeline
Comment Actions
I should note this is not quite T518 - I reported one of the tickets, was not just CC'd.
Comment Actions
I've changed the summary to specifically make this about being the author. T518 is already about CC list.
Comment Actions
We're going to work on solving this problem, but might not get to it this week yet (migration cleanup, Thanksgiving).
I'm sorry for the inconvenience. This was not expected and is a bug with migration. It does work for newly created tasks.
Comment Actions
It's also worth noting in this case that the file is one I had uploaded. Obviously, Phabricator does not think so, as "The user who uploaded a file can always view and edit it."
Comment Actions
See our current plan at https://www.mediawiki.org/wiki/Phabricator/Security#Cannot_view_Bugzilla_migrated_private.2Fsecurity_tasks_I_am_author.2Freporter_of
@chasemp will run a script to include authors of Bugzilla migrated private tasks in the ACL of these tasks. The View & Edit permissions reporters of private tasks had in Bugzilla will be respected for the users with account in Phabricator when we update the ACLs. Whoever comes after will need to wait until the ACL of a task they reported is updated, i.e. with a new comment.
Comment Actions
It seems that tasks imported from Bugzilla still have @bzimport in the ACL, even though they have the correct user in subscribers' list. Making any action on the task will cause Herald to work its magic and fix the ACL.
Comment Actions
I wonder whether this is still an issue. Users that found themselves in this situation have probably got access to the tasks by now, or can get it just by asking someone to update the task.
Comment Actions
Understood guys. So the general consensus from the Phab team and Operations is to do a one-time fixup making bugzilla CC'd, creators, and assignee's part of the valid policy on these issues. That means that if someone shows up later to the Phabriactor party and was CC'd on a legacy issue they will need to be manually added to the policy to view it. The idea is that it is very undesirable to have the continual automated history assignment jobs constantly changing policy on legacy issues. This is a compromise for sure, but the bulk of users are here now, especially the really active ones.
So I'm poking at this and that is the plan.
Comment Actions
did some testing and I believe I can fixup the ACL's but when I do so it gets reverted since the security extension right now is heavy handed with ACL possibilities. So T493 is a blocker for this.
Comment Actions
I programmatically went through every imported issue from the bugzilla security product and adapted the policies to include the original author and cc'd individually if they have a current Phab account. Per Operations and Phabricator team guidelines we will _not_ be updating these policies in an ongoing fashion as it poses a whole host of risks.
However, if you reported or were cc'd in bz on an issue that was imported here you should be gtg if you moved over.