People task doesn't respect policy?

  • I have created a task and assigned to a “dummy” user. For testing purposes, I set the policy that “dummy” user cannot view it yet.
  • When I logged in as “dummy” user, and go to Maniphest > Assigned, there is no task found. This is as expected.
  • But when I logged as myself, and go to People > dummy > Assigned Task, the task is shown. Does it should be respect policy and there should be no task found? or is it by design?

The purpose is I need to know if the policy is set correctly. Maybe there’s some other way to test?

Installed Version

phabricator 97a4a59cf2c7f3fcf8cf013655cab4b4185a99b8 (Mon, Aug 26)
arcanist d92fa96366c0ed50e4257508148aa75192d4fb1f (Jun 21 2019)
phutil b416093386a225b1d9a2de906899b94cbf4babcb (Jul 9 2019)

Is your expectation that “alice” can not view a task that is “Visible To: Everyone Except dummy”?

Or is your expectation that “People > dummy > Assigned Tasks” shows tasks as the user “dummy” would see them, not as you see them? If so, suppose “dummy” is assigned a task that you can not see. Would you expect it to appear under “People > dummy > Assigned Tasks”?

Is your expectation that “alice” can not view a task that is “Visible To: Everyone Except dummy”?

No, I expect that “alice” can view the task, because it is visible to everyone

Or is your expectation that “People > dummy > Assigned Tasks” shows tasks as the user “dummy” would see them, not as you see them? If so,

Yes, this is what I expect

suppose “dummy” is assigned a task that you can not see. Would you expect it to appear under “People > dummy > Assigned Tasks”?

I expect I cannot see it. Ah I see, this is contradiction with what I expect above right.

So basically what I want is, to view as the user would see, to make sure that my policy is correctly setup to a user. Is it possible?

Please enlighten me. Thanks.

The only real way to do this is to log in to the user’s account. You can most easily do this from the command line:

phabricator/ $ ./bin/auth recover dummy

…then copy/paste that URL into an incognito window.

There’s no web UI for previewing policies as other users see them, and we can’t really build this in the general case because user A may not be able to see all the tasks that user B can see, and we can’t show user A tasks they don’t have permission to see if they click “Show Me What User B Sees”, since this would just break the policy model (it would let anyone view any task by clicking the right “Show Me What User X Sees” button).

In theory, we could build a “Can User B See This Task?” button, or a “Show Me Things I Can See That User B Can Also See” button, but these features don’t currently exist.

I see that auth recover can skip password changes, so the user still can logging to their account using their password :+1:

a “Can User B See This Task?” button is great. I imagine this button can only be use by administrator. But it’s not really that important.

Thank you for your valuable time explaining to me :slightly_smiling_face: