Page MenuHomePhabricator

Differential allows adding a reviewer who does not have access to it
Closed, DuplicatePublic

Description

Here are the simple steps:

  1. Create a project and set yourself as the only member.
  2. Add a new repository and set its access to members of that project (so just you).
  3. Make some changes and create a revision. Add any reviewer to it.

This will succeed. The reviewer will receive an email and a notification about the pending review, but will not be able to navigate to it.

It would be neat if I could get a heads up when I about to do something this silly so I get a chance to fix it.

Event Timeline

anton.vladimirov raised the priority of this task from to Needs Triage.
anton.vladimirov updated the task description. (Show Details)
anton.vladimirov added a subscriber: anton.vladimirov.

I think we may be planning the opposite. That being if you decide to add someone who normally cannot see something, you are in essence granting them access at that time (though we may of course, warn you first). T4411 covers this case. T3820 covers building proper security walls between areas.