Don't count "Cc: x@y.com" as a legitimate recipient if the user who has "x@y.com" attached to their account has not verified the address
ClosedPublic
Actions

Authored by epriestley on Jun 19 2019, 6:15 PM.

Details

Reviewers

Maniphest Tasks

T13317: Unverified/nonsense account emails can trigger inbound CCs (was: Inbound support pact email sometimes CCs disabled user `@maxhodges` in Phacility)

Commits

rPcaaa1394ef15: Don't count "Cc: x@y.com" as a legitimate recipient if the user who has "x@y.

Summary

Fixes T13317. On admin.phacility.com, an enterprising user added noreply@admin.phacility.com to their account. This caused them to become CC'd on several support issues over the last year, because we send mail "From" this address and it can get CC'd via reply/reply all/whatever else.

The original driving goal here is that if I reply to a task email and CC you on my reply, that should count as a CC in Phabricator, since this aligns with user intent and keeps them in the loop.

This misfire on noreply@ is ultimately harmless (being CC'd does not grant the user access permission, see T4411), but confusing and undesirable. Instead:

Don't allow reserved addresses ("noreply@", "ssladmin@", etc) to trigger this subscribe-via-CC behavior.
Only count verified addresses as legitimate user recipients.

Test Plan

Added a bin/mail receive-test --cc ... flag to make this easier to test.
Sent mail as bin/mail receive-test --to X --as alice --cc bailey@verified.com. Bailey was CC'd both before and after the change.
Sent mail as bin/mail receive-test --to X --as alice --cc unverified@imaginary.com, an address which Bailey has added to her account but not verified.
- Before change: Bailey was CC'd on the task anyway.
- After change: Bailey is not CC'd on the task.