This is security relevant as sometimes already a task title contains sensitive information.
If somebody creates a task with a very restrictive view policy but tags the task with a workboard-enabled project, the task title is revealed in the workboard to everyone who can view the project.
Workaround is to restrict the view policy of the project but this is very ugly, as we actually want people to see the tags of a task instead of having the UI full of “Restricted Project” tags.
The view policy of the task should be respected by project workboards and also print “Restricted Task” like all the other UI does. Maybe the tasks shouldn’t even be displayed there if the user doesn’t have the rights to view the task anyway?
phabricator 201c56a91ee5764aaacfbce2c0ad7a5822a7c852 (Fri, Apr 20) (branched from 33da9f833fdd6bbf2d1ade40acd091f4a9f0ac76 on origin) arcanist 23f199bf180758e99b9d5ac604777cbd90d0e507 (Fri, Apr 20) (branched from ad3087e5e151e4b5f5fb39cc6846039fc4f7018f on origin) phutil f3e10579f640ebad648c56f677164647ab7251a4 (Sat, Apr 14) (branched from 20eff1c8d14f08f05ef72828fa379e871d29662c on origin) diff 3.3 at /usr/bin/diff git 188.8.131.52 at /usr/share/phabricator/support/bin/git hg Not Available pygmentize 1.4 at /usr/bin/pygmentize svn Not Available
Create a task with a restrictive view policy but tag it with like a publicly visible, workboard-enaled project. Log out and visit the workboard. The title of the task is revealed.