Page MenuHomePhabricator

Figure out what upstream "Can Edit Task Policies" policy deprecation means for our Spaces/ACL setup
Closed, ResolvedPublic

Description

Under https://phabricator.wikimedia.org/applications/view/PhabricatorManiphestApplication/ we have Can Edit Task Policies: Custom Policy set to numerous acl* projects, Security, etc etc.
This setting has been removed in upstream in https://secure.phabricator.com/T10003.

Our docs for Phab admins creating Spaces currently say

add "Allow members of acl*groupname_policy_admins" to Phabricator's global custom "Can Edit Task Policies" setting. This is required to display the "Visible To" and "Editable By" fields (and hence the Spaces dropdown for members of that Space) in the task creation form.

Hence find out how this upstream change will affect our Spaces workflow, and if it somehow does not, @Aklapper to 'only' update our on-wiki Spaces documentation.

Revisions and Commits

Related Objects

StatusSubtypeAssignedTask
ResolvedNone
ResolvedNone
ResolvedNone
Resolvedepriestley
ResolvedNone
Resolved mmodell
ResolvedNone
Resolved mmodell
ResolvedAklapper
Resolved mmodell
ResolvedAklapper
DeclinedNone
Resolved mmodell
ResolvedNone
Declined mmodell
Resolved mmodell
Resolved mmodell
ResolvedAklapper
Resolved mmodell
ResolvedNone
DeclinedVarnent
Resolved mmodell
Resolved mmodell
ResolvedTTO
Resolved mmodell
Resolved mmodell
ResolvedAklapper
ResolvedAklapper
ResolvedAklapper
DeclinedNone
ResolvedNone
ResolvedAklapper
ResolvedAklapper
Resolved mmodell
Resolved mmodell

Event Timeline

Aklapper raised the priority of this task from to Medium.
Aklapper updated the task description. (Show Details)
Aklapper added subscribers: Aklapper, mmodell.

Ugh, wtf? I was hoping for *more* of these types of settings, not less.

We should be more concerned about how it affects our non-Spaces workflow.

Upstream has created a new system for custom forms which allow us to create multiple versions of the task creation form. Some versions of the form can have policies restricted and we can create policies that control who can use each version of the form.

It's a bit more complicated to set up but the end result is a more user friendly task editing UI where people who shouldn't see policy controls won't even see them.

So we can actually prevent people who shouldn't be editing visibility policies (both task and project, and others...) from doing so, using the new system?

We can. But the problem is, if we want that people can change the policy (indirectly), if they report a security issue. The security extension is the problem. An altnernative solution could be this task: https://secure.phabricator.com/T10061

@Aklapper: To elaborate on what I said above, after playing with the new forms on phab-01, it looks like we shouldn't need to change much in the workflow.

So instead of

add "Allow members of acl*groupname_policy_admins" to Phabricator's global custom "Can Edit Task Policies" setting.

We set up two separate task forms, one with policy controls like this:

And one without, like this:

Then we set who can use the edit task policies form, like this:

And simply limit the more powerful form to members of the appropriate acl*groupname_policy_admins projects.

Thanks, as far as I understand it this all makes sense.

Visually I love what I've seen so far on phab-01. Adding screenshots from phab-01:

  • "Create item" dropdown menu:

phab-create-task-dropdown-2016.png (434×222 px, 19 KB)

  • Create Security task form:

phab-create-sec-task.png (687×750 px, 45 KB)

So I guess we can close this now. Let users adjust spaces is possible via a third form, so this is not a problem (Custom policy for this form, so that not all users can use this (create and edit form)).

Luke081515 added a revision: Restricted Differential Revision.EditedFeb 2 2016, 4:29 PM

I think the main problem is solved by D113, so we can close this, if D113 is ready?

mmodell claimed this task.

I believe this is resolved. Resolving so that it will unblock T120013: Next Phabricator Upgrade - 2016-02-18

old policy for editing maniphest policies:

Security
acl*operations-team
importbots
acl*communityliaison_policy_admins
acl*fr_policy_admins
acl*fundraising_research_policy_admins
KLans_WMF (Kristen Lans)×

I'm removing this to replace it with forms

I believe this is resolved now.