diff --git a/src/applications/maniphest/controller/ManiphestTransactionSaveController.php b/src/applications/maniphest/controller/ManiphestTransactionSaveController.php
--- a/src/applications/maniphest/controller/ManiphestTransactionSaveController.php
+++ b/src/applications/maniphest/controller/ManiphestTransactionSaveController.php
@@ -147,10 +147,28 @@
       $task->getSubscriberPHIDs()));
 
     if ($added_ccs) {
-      // We've added CCs, so include a CC transaction.
-      $all_ccs = array_merge($task->getSubscriberPHIDs(), $added_ccs);
-      $cc_transaction->setNewValue(array('=' => $all_ccs));
-      $transactions[] = $cc_transaction;
+      $users = id(new PhabricatorPeopleQuery())
+        ->withPHIDs($added_ccs)
+        ->loadPage();
+      $users = mpull($users, null, 'getPHID');
+
+      // Check if the added_ccs have CAN_VIEW permission on the object
+      foreach ($added_ccs as $key => $added_cc) {
+        if (!PhabricatorPolicyFilter::hasCapability(
+          $users[$added_cc],
+          $task,
+          PhabricatorPolicyCapability::CAN_VIEW)
+        ) {
+          unset($added_ccs[$key]);
+        }
+      }
+
+      if ($added_ccs) {
+        // We've added CCs, so include a CC transaction.
+        $all_ccs = array_merge($task->getSubscriberPHIDs(), $added_ccs);
+        $cc_transaction->setNewValue(array('=' => $all_ccs));
+        $transactions[] = $cc_transaction;
+      }
     }
 
     $comments = $request->getStr('comments');
diff --git a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
--- a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
+++ b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
@@ -1053,13 +1053,30 @@
       $phids = array_diff($phids, $this->subscribers);
     }
 
-    foreach ($phids as $key => $phid) {
-      if ($object->isAutomaticallySubscribed($phid)) {
-        unset($phids[$key]);
+    if ($phids) {
+      $users = id(new PhabricatorPeopleQuery())
+        ->withPHIDs($phids)
+        ->loadPage();
+      $users = mpull($users, null, 'getPHID');
+
+      foreach ($phids as $key => $phid) {
+        // Do not subscribe mentioned users
+        // who do not have VIEW Permissions
+        if (!PhabricatorPolicyFilter::hasCapability(
+          $users[$phid],
+          $object,
+          PhabricatorPolicyCapability::CAN_VIEW)
+        ) {
+          unset($phids[$key]);
+        } else {
+          if ($object->isAutomaticallySubscribed($phid)) {
+            unset($phids[$key]);
+          }
+        }
       }
+      $phids = array_values($phids);
     }
-    $phids = array_values($phids);
-
+    // No else here to properly return null should we unset all subscriber
     if (!$phids) {
       return null;
     }