Page MenuHomePhabricator

Support access policies for saved queries
Closed, WontfixPublic

Description

The lack of support of access policies for saved queries implies a few issues:

  • A saved query is viewable by every other user (if the query's ID is known), which is problematic from a privacy PoV. A user might have a saved query which contains sensitive information no one else should know about.
  • A saved query's name is not visible to other users, so when a saved query is used to configure a Dashboard Panel, other users viewing/modifying the configuration will only see something like Custom Query ("6IJFby9aEVb7")
  • A saved query can't be shared with other users for editing, so when a saved query is used to configure a Dashboard Panel, other users modifying the configuration will have to create another saved query when the criteria for the query need to be changed.

I would like to see full support for Access Policies in Saved Queries to:

  • hide the information of a Saved Query by default from other users
  • grant explicit read/write access to a Saved Query

This might also affect other areas/applications, but those issues were just the ones I ran into when working with Saved Queries in Dashboard Panels.

NOTE: When editing a Dashboard Panel, the Query dropdown would have to update and filter the available values based on the Panel's policies (e.g. a globally available Panel using a Query only visible to the current user doesn't make sense).

Event Timeline

eliaspro created this task.Jul 6 2017, 3:15 PM

A user might have a saved query which contains sensitive information no one else should know about.

How would other users discover the query's ID?

A user might have a saved query which contains sensitive information no one else should know about.

How would other users discover the query's ID?

Hey, security by obscurity doesn't count! ;)

But really, a possible scenario would be:

  • Create a saved query
  • Use it in a Dashboard Panel which has a public access policy
  • Forget about the fact, that the Saved Query was used in the Dashboard
  • Edit the Saved Query to contain something sensitive
  • Another user sees this in the Dashboard configuration and decides to look up the query:

Besides that, it feels odd to me to use objects which are local to a user (Saved Queries) in a global/user-shared context (Dashboard Panels), so I would argue here also in favor of consistency to make Saved Queries regular global objects to which the access can be controlled using Access Policies.

epriestley closed this task as Wontfix.Jul 6 2017, 3:59 PM
epriestley claimed this task.

Edit the Saved Query to contain something sensitive

This isn't possible.

Edit the Saved Query to contain something sensitive

This isn't possible.

I'd argue differently:
As long as there's the possibility to enter custom text values, anything could end up (accidentally or not) there (e.g. a user which uses Phabricator for HR tasks could possibly have a Saved Query searching for certain keywords etc.)

Besides that, privacy actually wasn't my main issue here but more the fact that local and global objects are mixed up here and depend on each other, causing all those scenarios where things act weird (e.g. only an ID visible in the Query dropdown).

Have you actually tested this scenario yourself?