Page MenuHomePhabricator

Limiting Batch Edits to certain users
Closed, ResolvedPublic

Description

Currently a user with bad intentions could create quite a mess with batch edits, and it is unclear how that mess could be repaired. It hasn't happened, but... should we wait?

I would restrict the Batch Edit permission to an invitation-only group where the Phabricator, Operations, and WMF-NDA members could add new members. Ideally this permission would be granted automatically based on the trust/activity accumulated by the user, to keep away new / unexperienced users, puppet accounts, etc. Today we lack these mechanisms, hence delegating the trust criteria to some trusted members.

Maybe we should reset Triagers and use it for this?

Event Timeline

Qgil created this task.Nov 17 2014, 3:03 PM
Qgil raised the priority of this task from to Normal.
Qgil updated the task description. (Show Details)
Qgil added projects: Phabricator, Triagers.
Qgil changed Security from none to None.
Qgil added subscribers: Aklapper, chasemp, Jdforrester-WMF and 4 others.

Batch editing is currently available to all(?) users on Bugzilla, though…

Qgil moved this task from To Triage to Need discussion on the Phabricator board.Nov 17 2014, 5:11 PM

Batch editing is currently available to all(?) users on Bugzilla, though…

No, you need editbugs (and/or canconfirm?).

Batch editing is currently available to all(?) users on Bugzilla, though…

No, you need editbugs (and/or canconfirm?).

Aha. In that case, yeah. Limiting it to the Triagers group though might be about the right level, given the restricted ambition for that group.

Hmm, Triagers has been archived (T583) for the time being... :-/

Qgil added a comment.Nov 17 2014, 5:49 PM

Hmm, Triagers has been archived (T583) for the time being... :-/

That's the easy part. Remove current members, add the teams proposed, unarchive, set policy.

Qgil added a comment.Nov 23 2014, 10:51 PM

I have started with this:

Can Bulk Edit Tasks: Phabricator

Tomorrow I will clean Triagers and apply the policy proposed in the description, unless someone has a better idea before. Then we can continue the discussion if needed, but without this pressure of "what if...?"

Qgil claimed this task.Nov 23 2014, 10:51 PM
Qgil moved this task from Need discussion to Doing on the Phabricator board.
Qgil added a subscriber: Qgil-test.Nov 24 2014, 9:58 AM

What I have done:

  1. Activate Triagers and edited the description.
  2. Keep all the Triagers members. I went through the list and I saw no reason to remove anybody.
  3. Change the policy of this project: Editable By: Phabricator (Project); Joinable By Custom Policy (Phabricator, Operations, and WMF-NDA members, who can add other members).
  4. Change Maniphest's policy Can Bulk Edit Tasks: Triagers (Project). I did it here, and now the change must be properly applied to the Puppet rules. I took the quick path only because today is our first working day with Bugzilla merged, and I expect this feature to be needed by some. In fact, @Jdforrester-WMF had requested it already.
  5. Tested with @Qgil-test; seems to work. The Batch Task Editor is not even shown, and Shift-Click does nothing.
  6. Documented at https://www.mediawiki.org/wiki/Phabricator/Help#Batch_Edits

This task can be Resolved as soon as the Mnaiphest policy change has been properly applied, unless someone has a good idea to improve the process proposed.

revi added a subscriber: revi.Nov 24 2014, 3:35 PM
In T1292#777726, @Qgil wrote:

What I have done:

[Snip]

Thank you!

Qgil closed this task as Resolved.Nov 26 2014, 7:39 AM
In T1292#777726, @Qgil wrote:

This task can be Resolved as soon as the Mnaiphest policy change has been properly applied, unless someone has a good idea to improve the process proposed.

Actually, being this a condition specific to this instance (we don't need this in Labs), maybe it is good that this configuration is set via the admin UI only.

Resolving.