Page MenuHomePhabricator

Allow bulk edits to be made silently if you have CLI access
ClosedPublic

Authored by epriestley on Jan 19 2018, 6:21 PM.

Details

Summary

Fixes T13042. This hooks up the new "silent" mode from D18882 and makes it actually work.

The UI (where we tell you to go run some command and then reload the page) is pretty clumsy, but should solve some problems for now and can be cleaned up eventually. The actual mechanics (timeline aggregation, Herald interaction, etc.) are on firmer ground.

Test Plan
  • Made a normal bulk edit, got mail and feed stories.
  • Made a silent bulk edit, no mail and no feed.
  • Saw "Silent Edit" marker in timeline for silent edits:

Diff Detail

Repository
rP Phabricator
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

epriestley created this revision.

What's the attack that opens up if we just add a [X] Do job silently checkbox in the bulk editor UI? As a user, I "rely" on emails and in-app notifications to stay on top of activities, but I don't treat them as a 100% reliable security measure. Email can always be dropped/lost/accidentally marked as spam, so I'd rely on something like Herald to enforce rules above and beyond the normal policy framework.

This revision is now accepted and ready to land.Jan 19 2018, 8:08 PM

It doesn't necessarily let you do anything explicitly evil, it just lowers your profile a lot and gives you a useful tool to help you sneak around better. For example, with D18873, you could go write a script which uses the bulk editor to replace every link in every task with a link to [[ /\evil.com/tabnab.htm ]]. There's no way you could do that without being noticed instantly if you were sending out tens of thousands of mail messages and feed stories, but you might get someone if you can do it silently.

Or you compromise an administrator account and add yourself to the "Very Powerful Users" project: likely to raise eyebrows if it shows up in feed and mail, but could escape detection for a long time otherwise.

As things evolve (e.g., SMS alerts in T920), I think these channels will become a more reasonable layer in overall auditing/security approaches too (e.g., "send me an SMS when such-and-such happens" -- not 100% reliable, but reasonable as a guardrail against human mistakes with a bonus that it catches sneaky attackers).

This revision was automatically updated to reflect the committed changes.