→ →

What are you doing which can't be covered by Herald?

/me patiently awaits @20after4's response, after being directed to this ticket from Wikimedia's Phabricator instance

My recollection, at least, is that Herald wasn't originally suitable because of T6367. Prior to that task, an "attacker" could write a rule like this:

When [this is a security issue], [send me an email].

Getting your name on the mail recipient list didn't do a separate policy check, so this would let you keep tabs on the initial filing of security issues.

After T6367, policy changes applied by Herald should be correctly checked prior to mail delivery, so the above rule no longer allows an attacker to snoop on stuff they don't otherwise have access to. I think the behavior can now safely be applied as a Herald action.

I'm hoping to be able to obsolete this entirely via T9132 soon anyway, which we're within striking distance of bringing to Maniphest, although it is entangled with the WMF security behavior. Specifically, the "New Task" button should soon be able to be turned into a "New Security Issue" / "New Other Task" dropdown (see example in D14584 of the behavior in Paste), and the "New Security Issue" form can have all of the relevant fields prefilled and locked, or prefilled and completely hidden.

Broadly, we're in no rush to get rid of these events -- definitely no need to panic. I just wanted to push things in the right direction after T9851 was filed, which originally asked for the scope of these events to be substantially expanded.

In T9860#146319, @epriestley wrote:

What are you doing which can't be covered by Herald?

What we are doing is restricting task policies _before_ someone has a chance to add themself to the CC list by way of a herald rule like "always: cc me" attached to all maniphest tasks. We need to preempt them from adding themself to CC if the herald rule decides to restrict the task's view/edit policy.

I believe if you include a transaction which sets the CCs to the current CCs, it is guaranteed to run after any personal rules and will entirely undo the effects of any sneaky rules anyone might write.

The problem is, we add a rule that includes "subscribers can view" to the policy - so even if it prevents mail from being sent, by the end of the herald processing, the user has gained 'can view' on the private task (by way of being CC'd) even though they should have never been able to CC themself in the first place.

I know it's a stupid use case but we specifically require subscribers to be able to view, but people shouldn't be able to subscribe themselves.

In T9860#146391, @epriestley wrote:

I believe if you include a transaction which sets the CCs to the current CCs, it is guaranteed to run after any personal rules and will entirely undo the effects of any sneaky rules anyone might write.

hmm. so I would cache the CC list and then reset it?

I'm not 100% sure it actually works, but you'd just do this:

// Get the CCs before any Herald rules apply.
$current_ccs = PhabricatorSubscribersQuery::loadSubscribersForPHID($task_phid);

// Create a transaction which just sets the CCs to the current value.
$force_ccs = $adapter->newTransaction()
  ->setTransactionType(PhabricatorTransactions::TYPE_SUBSCRIBERS)
  ->setNewValue(
    array(
      '=' => array_fuse($current_ccs),
    ));

// Queue the transaction.
$adapter->queueTransaction($force_ccs);

Most of the time, that won't do anything (it will set the CCs to the current CCs, and be dropped during transaction application). But if personal rules include "Add CCs" actions, it theoretically should just overwrite them and undo them (global rules should be guaranteed to execute after personal rules).

The logic for merging transactions is a little complicated and this situation never occurs naturally anywhere in the application, so it's possible that we merge a + transaction into an = transaction by taking the sum of the two transactions instead of ignoring the +. I can fix this if that's the case -- we should just take the = transaction and ignore the + / - stuff. Then you could swap this to an action, we could do a clean cut over to EditEngine (T9132), and you could (possibly, maybe with a little more work) swap this to a separate form.

But maybe it's simpler to just wait until the form thing is ready. You might be able to swap directly to that and throw most of this stuff away entirely.

In any case, I'm sure we can find a reasonable pathway forward here that minimizes the amount of work you have to do and doesn't require forking.

How about this:

• For now, don't touch anything.
• Once T9132 is close to working for Maniphest, we can look at it in more detail and see if it gets you 100% of the way to where you need to be. I think it will (or can be made to get you there), and that's simplest if it does (you can just cut over to it and throw this stuff away).
• If it's not quite there, we can figure out which pieces still need to be in Herald (or whatever) and I can probably make adjustments (like the CC merging logic) to support the behaviors you want.

@epriestley: FWIW I don't mind doing the work, and I would love to throw away all the hacky stuff we have right now.

Also, I didn't realize the + / - / = transactions worked that way, that actually makes a lot of sense... I'll try it!

And thanks for the guidance, it's much appreciated as always.

Quick update here: ApplicationEditor/EditEngine have caught up with this, so the current plan is to indirectly remove this event in at least some cases (currently: changes made from the "Comments" area) after the stable cut on Saturday. You can upgrade to this week's stable safely but we should make sure things are in a good place before you move beyond that.

Once that's cut and deployed, D14659 + D14663 (and whatever else I do today) will land and be deployed to this server and I'll write a bunch of contextual documentation, and we can figure out if that stuff as-is is good enough for your use case or not. If it is, maybe you just upgrade whenever and throw your old stuff away at your leisure.

If it isn't and we can't easily fix it or easily get Herald in place, I'll just put the events back for now in a hacky way and we can kick the can down the road a little until we have more time to figure out how to move forward. However, if things are easy we might not need to do this.

Upshot:

• Upgrading to stable this week (after Saturday) is fine, but be careful about upgrading beyond that.
• New stuff should be available on this server and in master after the release cut on Saturday and we can figure out how exactly to move forward from there once it's clickable and everyone can actually bang on it.

Actually, you probably also don't really care about removing the comment event anyway, since it can't change policies and you can't comment on objects when creating them, and I think your listener doesn't actually end up doing anything special for the actions that are available? So this might be mostly moot anyway, but in an ideal world I'll get through the main "edit" event shortly too.

The basics of the ApplicationEditor stuff are now live on this install, and T9908 has some discussion of the direction I think we can pursue for the "Security" use case.