Page MenuHomePhabricator

Commit summaries affiliated with policy-restricted repos are visible to users not in the policy to which the repo is restricted
Closed, ResolvedPublic

Description

I'm guessing that this is actually some setting I have wrong, but after a while of looking, I haven't been able to find it. On our phabricator instance, we have restrictive projects for groups, and then each repo belongs to one of these projects. If a user who is not in the project attempts to view the repo's source, phabricator blocks them as it should.

If the same user goes into the Audit application and selects "All Commits", they can then see the commits and the summary text (although they do not have access to view the commit object itself). Can this be disabled with a setting change?

Event Timeline

davidressman raised the priority of this task from to Needs Triage.
davidressman updated the task description. (Show Details)
davidressman added a subscriber: davidressman.

This will be resolved by T4715, which has most of a diff ready (D8805). @btrahan is leading the charge on it and has been traveling this week, but I expect this will be fixed pretty shortly.

I'm back.

D8805 should get an update tomorrow. It ends up touching a large surface area and I need a big block of time to finish it off and test it well, which I will have tomorrow. :D

epriestley claimed this task.

This should be fixed as of a few days ago. There are a couple of minor things still trickling in for the newer UI, but the basic policy issue should be good now.