Page MenuHomePhabricator

Security options when creating a task
Closed, DeclinedPublic

Description

Currently all users an see a Security entry in the form to create a new task: "Security settings will override permissions and projects as needed." + dropdown menu. This shouldn't be there.

According to T50: Restricting access to tasks based on project membership, the idea is that users can file a task as Security related by adding the "Security" project-keyword.

If we need to make short term compromises, then one option would be to show that field only to members of the Triagers team. But showing that option to everybody and let them edit it sound like an overkill and a source of confusion and mess. Imagine: what is this field here? let me try... Ooops, where is my task!!!

Related Objects

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.

Event Timeline

Qgil created this task.Sep 18 2014, 8:28 AM
Qgil raised the priority of this task from to Needs Triage.
Qgil updated the task description. (Show Details)
Qgil changed Security from none to None.
Qgil added a subscriber: Qgil.

Plus this:

Qgil changed Security from none to none.

Aklapper closed this task as Declined.Sep 18 2014, 4:10 PM
Aklapper claimed this task.

I'm declining this.

That dropdown field should be always there, having seen cases when users don't file a ticket under the "Security" product in Bugzilla.
I don't have data to back up my statement, but Bugzilla Mozilla has also a customized checkbox on their simplified/guided bug entry form allowing normal users to report a Security issue.

I don't see how an average user should find out about "adding the "Security" project-keyword" except for adding the same (easier to ignore) instructions to every single link out there on the wikis.

No matter how few fields one wants to expose, I don't want to make any compromises on making it easy to safely report Security problems here.

Qgil added a comment.Sep 18 2014, 6:55 PM

Alright. Can we at least put it between Priority and Projects, without the legend "Security settings will override permissions and projects as needed."?

Now it is taking too much space, putting an emphasis in Security that feels excessive.

In T459#4909, @Qgil wrote:

Alright. Can we at least put it between Priority and Projects

If I interpret https://secure.phabricator.com/book/phabricator/article/custom_fields/ correctly we can only change the order of items among custom fields themselves via 'maniphest.fields'?

without the legend "Security settings will override permissions and projects as needed."?

The field needs an explanation. The current one might not be perfect. For the records, Mozilla Bugzilla's explanation for their checkbox says "Many users could be harmed by this security problem: it should be kept hidden from the public until it is resolved." Which feels a bit more explanatory.

Can we tackle/discuss this in a separate task, and potentially improve the current situation after RT and BZ have been handled?