Page MenuHomePhabricator

Allow users to restrict View Policy when creating Pastes
Closed, ResolvedPublic

Description

I see that now creating pastes is locked into a form that does not let you choose to whom you wish to share the data with. Please unlock the visibility fields so that users can create private or restricted pastes. I've myself had to create some private pastes for debug which included non-public information for debug operations.

Event Timeline

Restricted Application added subscribers: TerraCodes, Aklapper. · View Herald TranscriptSep 15 2016, 8:48 AM
Aklapper triaged this task as Low priority.Sep 15 2016, 10:14 AM

This is already possible via https://phabricator.wikimedia.org/paste/create/ and clicking "Visible To" but that dropdown is greyed out for most users.

View Policy is currently locked in our form config; not sure why.

Aklapper renamed this task from Allow creating private pastes to Allow users to restrict View Policy when creating Pastes.Sep 15 2016, 10:14 AM
Aklapper moved this task from To Triage to Need discussion on the Phabricator board.

I'm the one who changed the form. I'm just worried about abuse potential of pastes since not even administrators can override the visibility and we generally have a policy of nothing-hidden.

Dzahn added a subscriber: Dzahn.Sep 15 2016, 8:59 PM

we generally have a policy of nothing-hidden.

Though we have entire spaces that are hidden.

https://phabricator.wikimedia.org/S2 - Access Denied: Restricted Space
https://phabricator.wikimedia.org/S5 - Access Denied: Restricted Space

@mmodell I guess we could create a special form for trusted users, Trusted as in wont abuse it so they will only do private for private information.

@Paladox: that's exactly what I did.

What we need is a very inclusive process for how people get added to the 'trusted' group. We don't currently have a proper acl for this.

I'm going to create a new task proposing a new acl. This is just one use-case for such a thing.

Note that the current situation breaks the docs at https://www.mediawiki.org/wiki/Phabricator/Help/Two-factor_Authentication_Resets (whether this docs make any sense if the user cannot get into Phab anymore anyway is a different question).

I can revert the change I made to the paste form ... but I do worry about the implications

mmodell closed this task as Resolved.Sep 16 2016, 1:45 AM
mmodell claimed this task.

I reverted the change that I made to the paste forms for now. We should still continue the discussion about what (if any) restrictions make sense. (See T145832)

Thank you @mmodell. Also, if you create for example a private security task, and want to link a paste to it, it does not make much sense for the paste to be public, but restricted to the original task subscribers I think.

Tgr reopened this task as Open.Oct 4 2017, 7:31 PM
Tgr added a subscriber: Tgr.

Seems like this has been re-reverted.

Tgr added a comment.Oct 4 2017, 7:32 PM

From Z567:

MarcoAurelio11: @Tgr You're surely a member of a project that allows changing the visibility policies of pastes, because I cannot do that.
s/pastes/Phabricator objects
Framawiki: I can confirm, as normal phab user I can't create pastes with custom policies nor change them.

I would like the ability to do this with pastes too please.

I'm just worried about abuse potential of pastes since not even administrators can override the visibility and we generally have a policy of nothing-hidden.

This is a (not only Paste) concern I share (cf. non-public T177423 which is about a similar topic).
Which brings us to discussing T145832: Create Trusted Contributors project? I guess.

@Aklapper: I know members of the ops team use private pastes for critical work so I don't see disabling that as an option, however, I agree we could restrict who has the ability.

Sometimes we need to create private pastes. I don't see much of a fuss in allowing (some?) users to do so. What if they can't be seen by administrators (not true as they can change ownership via CLI should they need to do so afaik; Spaces are different). The "nothing-hidden policy" is not workable in an absolute way. We sometimes need to create private Tasks, Pastes, Conpherence rooms, etc. Thanks.

Tgr added a comment.Oct 4 2017, 10:52 PM

What abuse are we worried about, exactly? File sharing? Admins can see private pastes and only they can delete things anyway so private/not private does not seem to make much of a difference.
Or well-intentioned but misguided users making things more private than needed? Does that actually happen?

Currently people who are involved in important work that's not public for good reasons (security, privacy, anti-abuse) cannot share their code seems to me a lot more pressing real-world issue than any of the above.

Paladox added a comment.EditedOct 4 2017, 10:56 PM

Admins carnt see private pastes unless the user manually adds the group.

greg added a subscriber: greg.Oct 4 2017, 11:03 PM

What abuse are we worried about, exactly? File sharing? Admins can see private pastes and only they can delete things anyway so private/not private does not seem to make much of a difference.

Except it's actually not possible to do so via the web interface; an admin would need to do so via the command line. It's even more annoying with files/images.

Or well-intentioned but misguided users making things more private than needed? Does that actually happen?

Don't think that's the issue.

Currently people who are involved in important work that's not public for good reasons (security, privacy, anti-abuse) cannot share their code seems to me a lot more pressing real-world issue than any of the above.

I don't think there is an actual proposal to remove that ability. There is a proposal in T145832 to restrict certain actions to an inclusive group but one with a minimum amount of "you're not a spammer/filesharer" checking.

Tgr added a comment.Oct 5 2017, 12:17 AM

Except it's actually not possible to do so via the web interface; an admin would need to do so via the command line. It's even more annoying with files/images.

FWIW for files Phabricator's default visibility handling (make it the same as the task it is uploaded to) is working well. Unfortunately there is no way to assign a paste to a task in a similar fashion.

I don't think there is an actual proposal to remove that ability.

That ability *has* been removed (from most users), which is why I reopened this task. T145832 sounds reasonable but it does not exist yet and most people apparently have already lost the ability to create non-public pastes. Sounds like that was an unintentional change?

That ability *has* been removed (from most users)

For reference, this was https://phabricator.wikimedia.org/transactions/editengine/paste.paste/view/14/#615:

@mmodell changed the visibility from "All Users" to "WMF-NDA (Project)". Jun 18 2017, 4:59 PM

I guess I'll revert that change for now, pending some consensus on T145832: Create Trusted Contributors project?

mmodell closed this task as Resolved.Nov 6 2017, 6:03 PM

ok, paste is unlocked for all users.

Dzahn awarded a token.Nov 6 2017, 8:09 PM
Tgr added a comment.Feb 13 2018, 8:10 PM

Seems like this has regressed, per T186975#3968566.

@Tgr hi, the user needs to be in https://phabricator.wikimedia.org/project/profile/3104/ to be able to create private pastes.

Tgr added a comment.Feb 13 2018, 8:12 PM

APerson is in fact in that group.

"Paladox added a member for Trusted-Contributors: APerson.
Tue, Feb 13, 8:11 PM"

Tgr added a comment.Feb 13 2018, 8:13 PM

Oh, sorry, I see you just added him. Anyway this task was about not restricting private paste creation.