Page MenuHomePhabricator
Create Task
Maniphest T6463

Differential allows adding a reviewer who does not have access to it
Closed, DuplicatePublic
Actions

Description

Here are the simple steps:

  1. Create a project and set yourself as the only member.
  2. Add a new repository and set its access to members of that project (so just you).
  3. Make some changes and create a revision. Add any reviewer to it.

This will succeed. The reviewer will receive an email and a notification about the pending review, but will not be able to navigate to it.

It would be neat if I could get a heads up when I about to do something this silly so I get a chance to fix it.

Related Objects

Event Timeline

anton.vladimirov created this task.Nov 4 2014, 1:32 AM
anton.vladimirov raised the priority of this task from to Needs Triage.
anton.vladimirov updated the task description. (Show Details)
anton.vladimirov added a subscriber: anton.vladimirov.
chad added a subscriber: chad.EditedNov 4 2014, 3:05 AM

I think we may be planning the opposite. That being if you decide to add someone who normally cannot see something, you are in essence granting them access at that time (though we may of course, warn you first). T4411 covers this case. T3820 covers building proper security walls between areas.

chad closed this task as a duplicate of T4411: Adding a CC to a Maniphest Task should give View rights for that user.Nov 4 2014, 3:07 AM
anton.vladimirov added a comment.Nov 4 2014, 3:52 AM

Yeah, that makes sense.

chad added projects: Differential, Policy.Dec 5 2014, 6:23 AM
chad merged a task: T6697: Disallow adding reviewers who cannot view a revision.
chad added subscribers: lfaraone, jesseendahl.
Phabricator · Built by Phacility