We need a short term plan for private tasks fully agreed by @csteipp and the Phabricator team. Currently we have a system that works and several open issues. Before attempting to solve the issues one by one, we need to be on the same page with the overall plan.
- Collect all the affected tasks as blocked tasks.
- Write down a description of the current implementation (done) and the aspects that need to be improved.
- Sit down, discuss and edit until we have a common plan.
Then we will proceed resolving the tasks accordingly.
|Feature||Implementation||Expectation||Happy with current implementation|
|Making a task private||Security dropdown sets access control template via Herald||Visibility status independent of projects||As an interim solution yes. As a definitive solution, maybe not. Upstream plans to work on Spaces.|
|Associating projects to private tasks||Yes||Yes||Yes|
|T475: Authors of private tasks should be able to access them||Yes||Yes||Yes|
|Access for authors of Bugzilla migrated private tasks||Only after the task is updated||Yes||Yes, by now most issues are updated, and if there is any remaining updating it is easy.|
|T518: Users CCed in private tasks should be able to access them||External users CCed receive notifications but they cannot view or edit the tasks. Any exceptions need to be handled out of the Security template.||Yes||No, and this is the biggest problem currently. Users CCed must be able to view and edit. Changing the policy manually is causing extra work for @csteipp. It's considered a regression from the situation we had in Bugzilla.|
|CCed users can add other CCed users||No, by design.||Yes, as we could in Bugzilla||No, although this is not as urgent/important as CCed users not being able to view/edit.|
|Access for CCed users in Bugzilla migrated tasks||Probably the same as above after the task is updated.||Same as above||No, same as above|
|Files uploaded directly to a private task inherit private policy||Yes||Yes||Yes, no problems found so far.|
|Thumbnails of private images should be private||No, it would take a big performance hit and with such small size doesn't disclose anything. You need to know the exact URL of the thumbnail. Upstream agrees.||Yes||No, this is a requirement we also have for MediaWiki, and we are paying the performance penalty there as well. @csteipp is happy to put us in touch with the colleagues that fixed this in MediaWiki. Not urgent, but it needs to be a goal in our plans.|