Page MenuHomePhabricator

Passphrase uses "edit" permission to decide who can see the secret, not the "visible" permission
Closed, DuplicatePublic



  1. Create a new Passphrase Credential
  2. pick Token
  3. give name
  4. select Visible To dropdown, pick Custom Policy
  5. Allow users: {me}, {another person}
  6. Save Policy
  7. leave "Editable By" as is ("Credential Author")
  8. Token: asdf
  9. Save
  10. Send link to "{another person}"

Them to be able to reveal the secret.

They're told they're not allowed to reveal the secret because they don't have the Edit permission

You Shall Not Pass: K8	
You do not have permission to edit this object.
Users with the "Can Edit" capability:
The author of this credential can take this action.

Setting the same custom policy on Editable By removes the issue and lets them reveal the secret but it also lets them edit it.


phabricator f0bf0419f12ad56e5f1e122543ff27be4e048a92 (Dec 2 2016)
arcanist fad85844314b151994769a461825c90f7400c145 (Oct 22 2016)
phutil 213c7339ccd3e6ee0678b39e2354182f36eae23b (Dec 2 2016)