It is currently possible to mention a user, in content that they don't have view permissions on, Either the mentioned user should automatically gain permission, or the user should be prompted to give the mentioned user permissions when they save their comment or text.
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Qgil | T78184 Phabricator should warn users when they mention other users on content (tasks/mockups) that the mentioned users cannot access | |||
| Resolved | Qgil | T76401 Short term plan for security and private tasks |
Event Timeline
Comment Actions
Upstream and us both have discussed in depth the ways to grant/gain permission to content for users not included in the policy of a task. It has been explicitly decided that a mention should not change the policy nor gran special permissions. When T518 is solved, you will be able to add users by CCing them.
I'm pretty sure that this proposal should be declined, but I'm CCing @mmodell and @chasemp just in case I'm missing something.
More details at https://www.mediawiki.org/wiki/Phabricator/Security
Comment Actions
@Qgil, That sounds reasonable, but I think there should be some alert when a user mentions another in a comment and that user does not have view permission.
Comment Actions
In our current setup, the two likely scenarios are:
- Content is public. No problem.
- Content is private, the information is sensitive, the small circle is quite aware who is in and who is not.
I guess you are bringing this topic because users can restrict the access to mockups? The first question would be why should the default Public view be changed.
Comment Actions
It came up for mockups, but i see it as a general issue for mockups and tasks as well. What are the use cases where people will have private tasks, and in those cases when will they need to bring additional people into the conversation?
Comment Actions
This is fairly involved modification to the core of phabricator. There simply isn't any way for us to do this without investing a ton of work and modifying core phab architecture, followed by ongoing maintenance of the functionality.
If we had someone who wants to volunteer some time to work with upstream - or one of our managers wants to dedicate some of our time to it - we could advocate for a patch and work on getting this accepted upstream. Certainly upstream has this on their radar it just isn't particularly high priority for them.
Comment Actions
Summarizing, our current approach is to default to public and be very careful with private objects. Under this perspective, the fact that mentioning users doesn't automatically add them to the policy of a task is a feature, not a bug. This opinion is agreed upstream.
Under this perspective, if you are unsure whether a user is or not in the policy of a task, the first step is to be sure, because you are dealing with sensitive information. The UI hint that user is not within the policy is nice, and we could have a long discussion about this, but the only realistic progress will come if this feature is developed upstream.
I'm declining this task as part of T76401: Short term plan for security and private tasks , since we have several pieces that need to be all in sync.
Comment Actions
The behavior is not going to change, however Phabricator now visualizes when a subscriber cannot access the object (see https://secure.phabricator.com/rPa4cb2bb7724757a8f9dd4d68fde3bda2fd6c7895 ) which was one of the options proposed in this task.
Comment Actions
I recently noticed that in a comment that is both changing subscribers and mentioning a user that (without the changing of subscribers) would be unable to see the task, that relevant user is still indicated as unable to see the task (specially occurred at T302686#7740256 on an unrelated security issue). Where exactly should this be reported? If I recall phabricator uptream was closed down or is no longer maintained.