HomePhabricator

Don't count "Cc: x@y.com" as a legitimate recipient if the user who has "x@y.

Description

Don't count "Cc: x@y.com" as a legitimate recipient if the user who has "x@y.com" attached to their account has not verified the address

Summary:
Fixes T13317. On admin.phacility.com, an enterprising user added noreply@admin.phacility.com to their account. This caused them to become CC'd on several support issues over the last year, because we send mail "From" this address and it can get CC'd via reply/reply all/whatever else.

The original driving goal here is that if I reply to a task email and CC you on my reply, that should count as a CC in Phabricator, since this aligns with user intent and keeps them in the loop.

This misfire on noreply@ is ultimately harmless (being CC'd does not grant the user access permission, see T4411), but confusing and undesirable. Instead:

  • Don't allow reserved addresses ("noreply@", "ssladmin@", etc) to trigger this subscribe-via-CC behavior.
  • Only count verified addresses as legitimate user recipients.

Test Plan:

  • Added a bin/mail receive-test --cc ... flag to make this easier to test.
  • Sent mail as bin/mail receive-test --to X --as alice --cc bailey@verified.com. Bailey was CC'd both before and after the change.
  • Sent mail as bin/mail receive-test --to X --as alice --cc unverified@imaginary.com, an address which Bailey has added to her account but not verified.
    • Before change: Bailey was CC'd on the task anyway.
    • After change: Bailey is not CC'd on the task.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13317

Differential Revision: https://secure.phabricator.com/D20593