Page MenuHomePhabricator

Allow people to see all signatures on a Legalpad document but not allow them to edit
Open, LowPublic

Description

@Jalexander asks: Is there a user right that we can give which will allow people to see all signatures on a document but not allow them to edit?

If not, we should discuss with upstream how to implement it.

Details

Reference
fl561

Event Timeline

flimport raised the priority of this task from to Low.Sep 12 2014, 1:46 AM
flimport set Reference to fl561.

aklapper wrote on 2014-09-08 14:16:48 (UTC)

<epriestley> it's not currently possible, the privileges aren't separated right now
<andre__> thanks. would that be accepted as an upstream request, or rather not?
<epriestley> kind of a "maybe". I don't think it's necessarily a bad feature to have, but it's somewhat invovled to implement. We probably wouldn't want to build it right away. If you want to add it to T5505, we could look at building it the next time we do an iteration on Legalpad, if we've seen more requests or it makes sense at the time.
<phabot> T5505: Plan Legalpad v2 - https://secure.phabricator.com/T5505

Qgil lowered the priority of this task from Low to Lowest.Oct 24 2014, 11:50 PM

What is the use case for this? WMF-Legal will have edit rights to the document and this is also the team that needs to check whether someone has signed it or not.

Is it a big deal if the rest cannot edit and cannot see the list of signatures?

Qgil raised the priority of this task from Lowest to Low.Jan 9 2015, 5:53 PM
Qgil moved this task from Wikimedia requests to Need Discussion on the Phabricator (Upstream) board.
In T374#965619, @Qgil wrote:

What is the use case for this? WMF-Legal will have edit rights to the document and this is also the team that needs to check whether someone has signed it or not.

Is it a big deal if the rest cannot edit and cannot see the list of signatures?

it is 'less ideal' (not a deal breaker, especially at the start but would be very useful) essentially because while legal is the main 'processor' the main 'consumer' of the list in the end are stewards and otrs admins (and, maybe, at some level the general public) who have to know whether someone has identified so that they can grant rights. While the Stewards have currently expressed a desire for the list to be copied to meta for now (and we will do so at the start) having a way to just let the OTRS admins check their list (which would be a separate legalpad doc because of different age requirements) because of a right they have here would be very helpful and save a lot of effort from LCA who would not have to transfer those names to some other location (such as otrs wiki).

OTRS admins and stewards sound like people you can trust. Why not giving them edit rights, just telling them the obvious thing that community contracts cannot be edited just by anyone? Even if a document is changed, the changes are logged and the diffs are available.

@Jalexander: Any thoughts on the last comment by Quim?

@Jalexander: Any thoughts on the last comment by Quim?

Sorry, yes I generally ended up just saying (apparently to myself and not anyone else ;) ) 'sure I guess we can do that where necessary for now'. I may do it for OTRS admins, I probably won't do it for Stewards given that it reveals email addresses and there is currently no pressing need to do that for Stewards (and we were probably going to manually transfer these signatures to meta for them anyway). OTRS admins generally already have access to people's emails (I certainly trust both of them but limited access is always best even with trust).

I still think that this should remain as an open request however, from a security standpoint separating the edit and view signature right is a very useful thing to have and in my opinion relatively basic. However I've filed it in the growing pile of things that I expect Phabricator to do and it can't (most of what I want for legalpad though a good portion of them are i18n issues) and isn't worth my time pushing hard for at the moment.

It's also not as important (and so less priority) as the issue of verifying who each account actually is since the list of signatures only lists email and phabricator usernames which is relatively useless without 1 by 1 checks to see what wiki username is connected with the phab name. (Since knowing what phab account signed isn't incredibly helpful)

That is also, not going to stop me, since it does not appear like it's going to be fixed any time soon but is, in my option, a basic missing feature.

I am a bit concerned @Jalexander. View rights should not allow to see, for example, the real names of the people signing the agreements or other personal identifying information. WRT the new access to nonpublic data policy and the requirement to sign a confidentiality agreement here, I do not need to know who User:X is in real life, but that he's signed and that WMF has approved the signature, so we can grant the rights. I'd be very unconfortable knowing real identities of people because I don't need to know them; and likewise I'd be very unconfortable if any other people aside from few users of the LCA team could see the personal information of our users. I think this needs to be addressed and clarified since some stewards have expressed concerns about this and personally would reject to sign any document here if I don't know who will have access to it. Best regards.

I am a bit concerned @Jalexander. View rights should not allow to see, for example, the real names of the people signing the agreements or other personal identifying information. WRT the new access to nonpublic data policy and the requirement to sign a confidentiality agreement here, I do not need to know who User:X is in real life, but that he's signed and that WMF has approved the signature, so we can grant the rights. I'd be very unconfortable knowing real identities of people because I don't need to know them; and likewise I'd be very unconfortable if any other people aside from few users of the LCA team could see the personal information of our users. I think this needs to be addressed and clarified since some stewards have expressed concerns about this and personally would reject to sign any document here if I don't know who will have access to it. Best regards.

I have replied to you on the stewards mailing list, this is an old task that is currently not being worked on. I am comfortable with the level of access that will be able to see those signatures (which will be heavily restricted).

I have replied to you on the stewards mailing list, this is an old task that is currently not being worked on. I am comfortable with the level of access that will be able to see those signatures (which will be heavily restricted).

Thanks. Received and replied as well. Let's follow the conversation there then. Regards.

Just for background: the requirement for a name was added in the context of our Volunteer NDA process to obtain special permissions in our technical infrastructure. In that case we were substituting actual printed and signed NDAs, so the required field was an improvement. If this field bothers your users, you can tell them to add their Wikimedia username, "Foo Bar", or anything to bypass the textfield check. Their Phabricator username tied to their Wikimedia account will be logged anyway.