Phabricator: Edit Policy restriction does not prevent comments.

Change the edit policy of a Maniphest Task - Attempt to comment on the the task with a user who doesn't have access Impact Given a few users I spoke to believe restricting the edit policy blocks comments, This allows an underpriveleged user to gain access to carry out a restrcited action. Mongoos...

Phabricator: Autoclose can close any task regardless of policies/spaces

Description If a user can push to a repository that has autoclose enabled, they can close //any// Maniphest task on the install, including tasks whose policies otherwise restrict the user from viewing or editing, and tasks inside Spaces that the user can't view. I don't think this rises to the...

Phabricator: Dashboard panel embedded onto itself causes a denial of service

I know this may not qualify for a bounty since it's a DoS, but I believe you'd rather get sensitive reports through HackerOne rather than Maniphest. PS: mongoose. Steps to reproduce ================ In Dashboards, create a new Text Panel let's say it would get the object reference W1 on creation...