Maniphest T12055

Passphrase uses "edit" permission to decide who can see the secret, not the "visible" permission
Closed, DuplicatePublic
Actions

Assigned To

None

Authored By

	allixsenos
	Jan 2 2017, 5:26 PM

Description

Repro:

Create a new Passphrase Credential
pick Token
give name
select Visible To dropdown, pick Custom Policy
Allow users: {me}, {another person}
Save Policy
leave "Editable By" as is ("Credential Author")
Token: asdf
Save
Send link to "{another person}"

Expect:
Them to be able to reveal the secret.

Actual:
They're told they're not allowed to reveal the secret because they don't have the Edit permission

You Shall Not Pass: K8	
You do not have permission to edit this object.
Users with the "Can Edit" capability:
The author of this credential can take this action.

Setting the same custom policy on Editable By removes the issue and lets them reveal the secret but it also lets them edit it.

Versions:

phabricator f0bf0419f12ad56e5f1e122543ff27be4e048a92 (Dec 2 2016)
arcanist fad85844314b151994769a461825c90f7400c145 (Oct 22 2016)
phutil 213c7339ccd3e6ee0678b39e2354182f36eae23b (Dec 2 2016)

Event Timeline

allixsenos created this task.Jan 2 2017, 5:26 PM

chad closed this task as a duplicate of T4721: Improve user-facing documentation for Passphrase.Jan 2 2017, 5:38 PM

Passphrase uses "edit" permission to decide who can see the secret, not the "visible" permissionClosed, DuplicatePublicActions

Description

Event Timeline

Passphrase uses "edit" permission to decide who can see the secret, not the "visible" permission
Closed, DuplicatePublic
Actions