Reported upstream: https://secure.phabricator.com/T6869
As an unregistered user visiting https://phabricator.wikimedia.org/T25382 , I want to see "wikibugs-l" instead of "Restricted Mailing List" so that I'm not provided with misleading/irrelevant information.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Krenair | T76988 Task's subscribers list says "Restricted Mailing List" instead of "wikibugs-l" when not logged in | |||
| Resolved | • chasemp | T86772 Next Phabricator upgrade on 2015-02-18 | |||
| Invalid | • chasemp | T89824 post T86772 |
https://phabricator.wikimedia.org/applications/view/PhabricatorMailingListsApplication/ says
Can Use Application All Users
https://phab-01.wmflabs.org/applications/view/PhabricatorMailingListsApplication/ and https://secure.phabricator.com/applications/view/PhabricatorMailingListsApplication/ say "Public" instead.
Maybe this is all that needs to be fixed? I don't know if "Public" means that anonymous users can mess with the current mailing lists introduced. But well, even if that would be the case, this would not be very different from any logged in user being able to mess up... In any case, there is no separate Can View policy here.
I think @mmodell set this as we realized indeed that any anon could mess with the mailing lists. Some priv separation is missing I suppose.
Let's test this assumption.
As anonymous user, https://phab-01.wmflabs.org/mailinglists/ shows no list, and therefore there is nothing I can mess up with. If I click "Create list", then a login form appears. In other words, there is nothing that anonymous me can do.
However, if you visit https://phab-01.wmflabs.org/mailinglists/ as logged in user, you can see "wikitech-announce", and you can edit it.
The thing is, as anonymous user "wikitech-announce" also shows as "Restricted Mailing List" in https://phab-01.wmflabs.org/T460
Conclusion: these permissions seem to be messed up. It looks like the desired solution is the usual separate policies for Can Use, Can View, Can Edit.
I wasn't really around for the perm change I just vaguely recall. But a view/edit separation seems in order.
Upstream seems uninterested in fixing this because mailing lists are essentially deprecated or a dead-end in their roadmap.
https://secure.phabricator.com/T6869 has been fixed upstream, but I don't know whether this fix will make it to T78243: Phabricator upgrade on 2015-01-14 or whether we have already taken the upstream snapshot we will upgrade to.
Not yet fixed in our currently deployed version; plus leaving open as I want to retest after pulling
The upstream change allows local administrators to alter the settings to allow the Mailing lists application to be used by logged out users. Previously you could set that policy, but it would have no effect.
I think it's ok now. The issue before was also that by setting to public anonymous users could edit the lists. Seems not so anymore.