Page MenuHomePhabricator
Create Task
Maniphest T94565

Adding users to CC on Phabricator security tasks doesn't add them to the view/edit policy
Closed, InvalidPublic
Actions

Description

I thought we fixed this, but I hit this again today. Adding users to the CC on a task doesn't update the policy, so the users can't see tasks that they are getting notifications about.

Related Objects

Event Timeline

csteipp created this task.Mar 31 2015, 1:46 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: Release-Engineering-Team.
csteipp subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 31 2015, 1:46 PM
Aklapper added a project: Phabricator.Apr 1 2015, 3:05 PM

@csteipp: On which ticket did you see this?

Related: T518: Users CCed in private tasks should be able to access them; https://www.mediawiki.org/wiki/Phabricator/Security

csteipp added a comment.Apr 1 2015, 6:27 PM

@Aklapper, almost all of the blockers of T87275. They pretty much all show that I added two users to the task on Monday

csteipp added subscribers: Grunny, ProgramCeltic.Via Web · Mon, Mar 30, 8:01 PM

But Grunny let me know via email that he wasn't able to see any of them, so early Tuesday morning I added them to the policy of each. Before adding them, they weren't in the view or edit policies.

csteipp changed the visibility of this Task from "Custom Policy" to "Custom Policy".Via Web · Tue, Mar 31, 12:37 PM

Aklapper triaged this task as Medium priority.Apr 2 2015, 10:59 PM
Aklapper set Security to None.
Aklapper added a subscriber: mmodell.
mmodell added a comment.Apr 3 2015, 9:09 PM

@csteipp: I wrote a custom policy rule class called 'subscribers of task' which should be added instead of individual user names. That one rule will match all subscribers so that they don't have to be added individually. Setting a task to secure should add that rule to the task's policy. I'm not sure why this wouldn't be happening - it's fairly well tested and no changes have been made to that code for quite a long time.

csteipp added a comment.Apr 3 2015, 9:57 PM
In T94565#1179222, @mmodell wrote:

@csteipp: I wrote a custom policy rule class called 'subscribers of task' which should be added instead of individual user names. That one rule will match all subscribers so that they don't have to be added individually. Setting a task to secure should add that rule to the task's policy. I'm not sure why this wouldn't be happening - it's fairly well tested and no changes have been made to that code for quite a long time.

Just to clarify, you're saying it should Just Work to add someone as a CC on a private task, and everything should get updated so that they have full access to it, right?

csteipp added a comment.Apr 3 2015, 10:03 PM

In testing, this looks like it's working. What can I do the next time this comes up to help you debug?

mmodell added a comment.Apr 3 2015, 10:58 PM

@csteipp: right, it should just work™

If it comes up again just link me directly to the issue before changing anything so I can look at the debug console... It really shouldn't be an issue, as long as the "subscribers of task #n" rule is added to the policy, and the correct task # is in there, it should work. And if it's not, you can add that rule, though it really should be there automatically.

Aklapper mentioned this in T96554: Cannot view T96548.Apr 20 2015, 8:11 PM
Aklapper merged a task: T96554: Cannot view T96548.
Aklapper added subscribers: Legoktm, Qgil, valhallasw, scfc.
jeremyb-phone mentioned this in T98697: As subscriber I do not have access to a task.May 10 2015, 8:22 AM
Ankry subscribed.May 10 2015, 9:39 AM
mmodell closed this task as Invalid.May 12 2015, 11:13 AM
mmodell claimed this task.

I'm closing this one,

Please reopen if you run into a legitimate instance of this bug. If the security drop-down field is set to "security bug" it should automatically get the right behavior by way of a custom security policy with "subscribers of T### can view", if this is not the case please link to the bug in question so that I can debug it.

Ankry unsubscribed.May 12 2015, 11:23 AM
greg moved this task from INBOX to Done on the Release-Engineering-Team board.May 23 2015, 2:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL