The UI (where we tell you to go run some command and then reload the page) is pretty clumsy, but should solve some problems for now and can be cleaned up eventually. The actual mechanics (timeline aggregation, Herald interaction, etc.) are on firmer ground.
- Maniphest Tasks
- T13042: Add a "silent" mode to bulk edits
- rP3038d564a6d8: Allow bulk edits to be made silently if you have CLI access
- Made a normal bulk edit, got mail and feed stories.
- Made a silent bulk edit, no mail and no feed.
- Saw "Silent Edit" marker in timeline for silent edits:
What's the attack that opens up if we just add a [X] Do job silently checkbox in the bulk editor UI? As a user, I "rely" on emails and in-app notifications to stay on top of activities, but I don't treat them as a 100% reliable security measure. Email can always be dropped/lost/accidentally marked as spam, so I'd rely on something like Herald to enforce rules above and beyond the normal policy framework.
It doesn't necessarily let you do anything explicitly evil, it just lowers your profile a lot and gives you a useful tool to help you sneak around better. For example, with D18873, you could go write a script which uses the bulk editor to replace every link in every task with a link to [[ /\evil.com/tabnab.htm ]]. There's no way you could do that without being noticed instantly if you were sending out tens of thousands of mail messages and feed stories, but you might get someone if you can do it silently.
Or you compromise an administrator account and add yourself to the "Very Powerful Users" project: likely to raise eyebrows if it shows up in feed and mail, but could escape detection for a long time otherwise.
As things evolve (e.g., SMS alerts in T920), I think these channels will become a more reasonable layer in overall auditing/security approaches too (e.g., "send me an SMS when such-and-such happens" -- not 100% reliable, but reasonable as a guardrail against human mistakes with a bonus that it catches sneaky attackers).