This is a suggested permissions alteration for the powers of administrators. If possible I believe an update to allow administrators to manage content of disabled users would be helpful. Such as being able to edit tasks, blogs, projects and so on where they were previously set to only allow "Editable By" self.
This would be particularly useful for accessing content created by ex-team members.
Whilst this is one method it isn't useful for administrators without route access. It seems to be an unnecessarily long-winded method having to unlock each item one by one.
If disabling a user removed all policy controls, an attacker who compromised an administrative account (or a malicious administrator) could disable other users and then access information they could not otherwise see.
I do not currently anticipate ever adding features like this to the upstream. It is explicitly intentional that you must have access to the host to bypass policy controls.
See https://secure.phabricator.com/book/phabricator/article/users/#administrators for discussion of the deliberately limited role of administrators.
Opening objects individually is cumbersome, and it's possible that we could provide a CLI tool to bulk override policies, but this would be complicated, and we haven't previously seen other installs encounter this issue, and it seems unusual. I can't immediately come up with good reasons to get into this position in the first place. Why did this user create a large number of self-editable objects which now need to be edited? What was the plan when the user, say, went on vacation or had a family emergency?
@epriestley
Yes your point about security risk is completely valid. Just wondering if there is something that can be done whilst avoiding comprising security. Perhaps a console command to unlock all objects owned by a specific user, changing all custom policy objects containing the user and adding administrator access.
I believe you have further demonstrated the hypothetical of the type of potential issue with custom policies set to self. There are a few content types in phabricator that lock to self by default such as Files, which can be an exceptional burden to remove/alter.
If there is a way to prevent items being locked to individuals I am keen to hear it.
It's important for us to understand the why of a feature request, since we won't likely add them for hypotheticals. See Describing Root Problems for how we look to describe problems.