Align the 2.16.25 notes text with sibling releases
Change-Id: Id0929a666c62fe2ff4c8ce5b1355f14c79a5fa1f
diff --git a/pages/site/releases/2.16.md b/pages/site/releases/2.16.md
index 15bdfeb..886eed0 100644
--- a/pages/site/releases/2.16.md
+++ b/pages/site/releases/2.16.md
@@ -654,14 +654,14 @@
for all refs. The latter only had logic to decide if a Git ref is visible
according to the Gerrit `READ` permissions. This includes all refs under
`refs/heads` as well as any other ref that isn't a database ref or a Git
- tag. This component was unaware of Git tags and database references. Hence,
+ tag. This component was unaware of Git tags and notedb-related refs. Hence,
when asked for a database reference such as `refs/changes/xx/yyyyxx/meta`,
the logic would allow access if the user has `READ` permissions on any of
the ref prefixes (such as the default "read refs/* Anonymous Users").
That was problematic, because it bypassed
[documented behavior](http://gerrit-documentation.storage.googleapis.com/Documentation/2.16.25/access-control.html)
- where a user should only have access to a change if they can see the
+ where a user should only have access to a change if he can see the
destination ref. The same goes for other database references.
* [Issue 13514](https://bugs.chromium.org/p/gerrit/issues/detail?id=13514):
@@ -671,13 +671,13 @@
hiding refs based on the project's ACLs. There is however an optimization
that skips the filtering in case a user has `READ` permissions on every ACL
pattern(s). When the target repository is `All-Users`, the optimization
- turns into a security issue because it allows seeing everything that
- belongs to everyone, i.e.:
+ turns into a security issue because it allows seeing all personal information
+ associated with all accounts, i.e.:
* draft comments
- * PII of all users
- * external ids
* draft edits
+ * personally identifiable information (PII) of all users
+ * external ids
This fix now blocks Gitiles or any other part of Gerrit to abuse this power
when the target repository is `All-Users`, where nobody can be authorized