Page MenuHomePhabricator

Figure out what upstream "Can Edit Task Policies" policy deprecation means for our Spaces/ACL setup
Closed, ResolvedPublic

Description

Under https://phabricator.wikimedia.org/applications/view/PhabricatorManiphestApplication/ we have Can Edit Task Policies: Custom Policy set to numerous acl* projects, Security, etc etc.
This setting has been removed in upstream in https://secure.phabricator.com/T10003.

Our docs for Phab admins creating Spaces currently say

add "Allow members of acl*groupname_policy_admins" to Phabricator's global custom "Can Edit Task Policies" setting. This is required to display the "Visible To" and "Editable By" fields (and hence the Spaces dropdown for members of that Space) in the task creation form.

Hence find out how this upstream change will affect our Spaces workflow, and if it somehow does not, @Aklapper to 'only' update our on-wiki Spaces documentation.

Related Objects

StatusAssignedTask
ResolvedNone
ResolvedNone
ResolvedNone
Resolvedepriestley
ResolvedNone
Resolvedmmodell
OpenNone
Resolvedmmodell
ResolvedAklapper
Resolvedmmodell
ResolvedAklapper
DeclinedNone
Resolvedmmodell
ResolvedNone
Declinedmmodell
Resolvedmmodell
Resolvedmmodell
ResolvedAklapper
Resolvedmmodell
ResolvedNone
DeclinedVarnent
Resolvedmmodell
Resolvedmmodell
ResolvedTTO
Resolvedmmodell
Resolvedmmodell
ResolvedAklapper
ResolvedAklapper
ResolvedAklapper
DeclinedNone
ResolvedNone
ResolvedAklapper
ResolvedAklapper
Resolvedmmodell
Resolvedmmodell

Event Timeline

Aklapper raised the priority of this task from to Normal.
Aklapper updated the task description. (Show Details)
Aklapper added subscribers: Aklapper, mmodell.
Restricted Application added subscribers: Luke081515, scfc. · View Herald TranscriptDec 28 2015, 11:34 PM

Ugh, wtf? I was hoping for *more* of these types of settings, not less.

Krenair added a comment.EditedDec 28 2015, 11:42 PM

We should be more concerned about how it affects our non-Spaces workflow.

Upstream has created a new system for custom forms which allow us to create multiple versions of the task creation form. Some versions of the form can have policies restricted and we can create policies that control who can use each version of the form.

It's a bit more complicated to set up but the end result is a more user friendly task editing UI where people who shouldn't see policy controls won't even see them.

So we can actually prevent people who shouldn't be editing visibility policies (both task and project, and others...) from doing so, using the new system?

We can. But the problem is, if we want that people can change the policy (indirectly), if they report a security issue. The security extension is the problem. An altnernative solution could be this task: https://secure.phabricator.com/T10061

@Aklapper: To elaborate on what I said above, after playing with the new forms on phab-01, it looks like we shouldn't need to change much in the workflow.

So instead of

add "Allow members of acl*groupname_policy_admins" to Phabricator's global custom "Can Edit Task Policies" setting.

We set up two separate task forms, one with policy controls like this:

And one without, like this:

Then we set who can use the edit task policies form, like this:

And simply limit the more powerful form to members of the appropriate acl*groupname_policy_admins projects.

Thanks, as far as I understand it this all makes sense.

Visually I love what I've seen so far on phab-01. Adding screenshots from phab-01:

  • "Create item" dropdown menu:

  • Create Security task form:

So I guess we can close this now. Let users adjust spaces is possible via a third form, so this is not a problem (Custom policy for this form, so that not all users can use this (create and edit form)).

I think the main problem is solved by D113, so we can close this, if D113 is ready?

Luke081515 moved this task from To Triage to Doing on the Phabricator board.Feb 4 2016, 6:27 PM
mmodell closed this task as Resolved.Feb 12 2016, 7:02 PM
mmodell claimed this task.

I believe this is resolved. Resolving so that it will unblock T120013: Next Phabricator Upgrade - 2016-02-18

mmodell reopened this task as Open.Feb 18 2016, 3:02 AM

old policy for editing maniphest policies:

Security
acl*operations-team
importbots
acl*communityliaison_policy_admins
acl*fr_policy_admins
acl*fundraising_research_policy_admins
KLans_WMF (Kristen Lans)×

I'm removing this to replace it with forms

mmodell closed this task as Resolved.Feb 22 2016, 7:33 PM

I believe this is resolved now.