Hi, I've unarchived https://phabricator.wikimedia.org/project/profile/1686/ .
See "Displaying and using a Space" in https://www.mediawiki.org/wiki/Phabricator/Help#Restricting_access_to_tasks for restricting access to a specific set of tasks.

@Aklapper , it looks spaces are not the best option. At the moment I am a member of only S1 and I cannot select other spaces when creating a task. In perfect case scenario we would like to cover both use cases such as:

• A project member creates an internal task (e.g. techcom member creates a task that has some non-public configuration mentioned)
• A person which is not a project member creates an internal task (that only they and the project members will see — e.g. a WLM UA team member might ask to update respective mailing list with certain emails)

So something like creating a space for only project members would probably only solve the former use case.

Do we need an acl group for that to work as wanted, or it is possible to just use https://phabricator.wikimedia.org/project/profile/1686/ for access management? We would need to allow only its members to add new members in such case.

Also it seems that https://phabricator.wikimedia.org/maniphest/task/edit/form/3/ which allows to set Visible to field is not accessible to everyone (@AntonProtsiukWMUA wasn't able to access it for once), so I am not sure what would be the best way for it. Can we have a custom form for private WMUA tech com tasks (or is it possible to have one for any WMUA tech com tasks and have a checkbox or something for indicating private status there)?

Sorry for bombarding you with questions like this.

Also thank you for unarchiving the project!

Hmm.... Looking at https://www.mediawiki.org/wiki/Phabricator/Help#Restricting_access_to_tasks , I don't think we have a great workflow for covering "This shouldn't be a public ticket and anyone should be able to file this ticket so it becomes non-public immediately" (except for Security issues).

The View policy for the ticket creation form https://phabricator.wikimedia.org/maniphest/task/edit/form/3/ (which will display the "View Policy" dropdown for the person creating a ticket, while the default ticket creation form does not expose it) lists numerous acl* projects that folks would have to be a member of, most of them being bound to membership in some restricted Space. :-/

@mmodell: Any better idea for a feasible approach? For example, I wonder if we could expand the View Policy of form number 3 to also include members of Trusted-Contributors (but not sure which edit form would be related, plus wondering if expanding might already be a bit dangerous when it comes to vandalism?)

@mmodell: Ping?

@Aklapper the biggest risk with giving security policy access is that there is no super-admin with overriding access. There is a command line tool to unlock the policy on a given object.

I think the biggest reason that policy controls are not available to trusted contributors is to avoid normalizing the restriction of access. Since we want to be transparent as much as possible we really don't want to encourage the use of hidden tasks. I'm not against giving access to the controls for people who already demonstrated good behavior and good intentions though. It could be a process like project admins where people request access?

In T286866#7230818, @Base wrote:

• A person which is not a project member creates an internal task (that only they and the project members will see — e.g. a WLM UA team member might ask to update respective mailing list with certain emails)

We can make a custom form that has the appropriate ACL pre-set to author + members of project X. The only drawback to that is that everyone would need to use that specific form for submitting private tasks and they couldn't switch mid-way through writing their task without copying and pasting into a different form.

I obviously don't know how to proceed here. :(

Here is a custom form for WMUA-Tech: https://phabricator.wikimedia.org/maniphest/task/edit/form/107/

@Base: Does that custom form help?

@Aklapper , oh sorry, I have missed the comment from mmodell. I will check

@Aklapper, @mmodell, it seems that it does not quite work as intended, when attempting to use the form @AntonProtsiukWMUA sees the following right upon following the link to the form:

Is it possible to set up is so that anyone can use the form but only project members can see the tasks?

Is it possible to set up is so that anyone can use the form but only project members can see the tasks?

Hmm... I don't think so, as that would imply that I'd file a task and then I cannot view the task anymore... Currently people need to be members of https://phabricator.wikimedia.org/project/members/1686/ to use that form (as forms also pre-define who can view/edit a task created by using that form).

I think that the owner of a task can always see it but I might be mistaken.

Ok I think it should allow anyone to use the form now.

@mmodell: Thanks, Hmm but changing visibility from "WMUA-Tech (Project)" to "All Users" doesn't make "only project members can see the tasks", or...?