I thought we fixed this, but I hit this again today. Adding users to the CC on a task doesn't update the policy, so the users can't see tasks that they are getting notifications about.
Description
Related Objects
Event Timeline
@csteipp: On which ticket did you see this?
Related: T518: Users CCed in private tasks should be able to access them; https://www.mediawiki.org/wiki/Phabricator/Security
@Aklapper, almost all of the blockers of T87275. They pretty much all show that I added two users to the task on Monday
csteipp added subscribers: Grunny, ProgramCeltic.Via Web · Mon, Mar 30, 8:01 PM
But Grunny let me know via email that he wasn't able to see any of them, so early Tuesday morning I added them to the policy of each. Before adding them, they weren't in the view or edit policies.
csteipp changed the visibility of this Task from "Custom Policy" to "Custom Policy".Via Web · Tue, Mar 31, 12:37 PM
@csteipp: I wrote a custom policy rule class called 'subscribers of task' which should be added instead of individual user names. That one rule will match all subscribers so that they don't have to be added individually. Setting a task to secure should add that rule to the task's policy. I'm not sure why this wouldn't be happening - it's fairly well tested and no changes have been made to that code for quite a long time.
Just to clarify, you're saying it should Just Work to add someone as a CC on a private task, and everything should get updated so that they have full access to it, right?
In testing, this looks like it's working. What can I do the next time this comes up to help you debug?
@csteipp: right, it should just work™
If it comes up again just link me directly to the issue before changing anything so I can look at the debug console... It really shouldn't be an issue, as long as the "subscribers of task #n" rule is added to the policy, and the correct task # is in there, it should work. And if it's not, you can add that rule, though it really should be there automatically.
I'm closing this one,
Please reopen if you run into a legitimate instance of this bug. If the security drop-down field is set to "security bug" it should automatically get the right behavior by way of a custom security policy with "subscribers of T### can view", if this is not the case please link to the bug in question so that I can debug it.