Some of CL information is under wraps or embargoed for brief amounts of time.
- Mentioned In
- T138677: Make a list of spaces we have, and who can access them
T105742: Document Phabricator Spaces for teams
- Mentioned Here
- T109810: Verify bn.wikipedia.org via Webmaster Tools to allow linking a bn.wikipedia.org button to G+ page
T88762: Enable select Fundraising people to modify policy for tasks
@Rdicerb can you add some more detail? I don't understand what the goal of this task is yet but I'm wondering if you are misunderstanding what a private project is at this point in Phabricator.
Rachel is asking for a setup like Fundraising Tech's private tasks. We discussed this in a conversation a couple of weeks ago.
So this is about replicating T88762
@Rdicerb, in any case https://www.mediawiki.org/wiki/Phabricator/Creating_and_renaming_projects#New_projects still applies, since you will need a new project only to handle these private tasks. Please provide the information requested.
I created S2 for Community Liaisons and created documentation but it is not working as expected yet. Meh.
I have added my private account @Malyacko to "Can View" and "Can Edit" of the Space S2 in this production instance but for reasons I do not get, there is no Spaces dropdown shown on https://phabricator.wikimedia.org/maniphest/task/create/ for my private user. It IS shown for my admin account @Aklapper however in production.
It works on phab-01.wmflabs.org of course where I'm admin as @AndreTest and a normal user as @AckoS3 (and "Can View" should be sufficient anyway, "Can Edit" should not be needed, as seen on phab-01).
I don't see any Spaces related stuff in https://phabricator.wikimedia.org/config/all/ either that could be a simple settings difference between phab-01 and production.
Comparing https://phabricator.wikimedia.org/applications/view/PhabricatorSpacesApplication/ and https://phab-01.wmflabs.org/applications/view/PhabricatorSpacesApplication/ there is no difference, except for phab-01 stating "This application is a prototype." (which makes me wonder how different the age of the two codebases is).
I'm really puzzled here and would welcome another pair of eyes (@chasemp, @mmodell).
I don't see any space S2? @Aklapper: are you sure you created a space? Is it just that my account can't see it?
Ok maybe it's this: https://phabricator.wikimedia.org/applications/edit/PhabricatorManiphestApplication/
"Can Edit Task Policy" is set to a custom policy, I bet editing the "space" dropdown on tasks requires that you are allowed to edit the task policy.
You're making a space? I don't think that's a FR tech-like setup. Have you asked CL about what they actually need in terms of being able to include other people? Why is WMF-NDA insufficient?
I had discussed this case with @Rdicerb and the Community-Relations-Support team. A significant percentage of their work involves information that is either not public yet (early drafts, coordinated announcements...) or that it will never be public (conflicts and such). Before Phabricator the team handled most of their work privately, with Phabricator they have moved part of their work here, but they are still splitted tracking tasks in two very different ways. An own space will allow them to handle their public and private work with a single tool.
Yeah, that's the case. Sorry it's a bit of a pain to manage! I might have a little time next week to try to help work it out.
@mmodell is right. Thanks a lot for finding that.
Originally I thought that maintaining the View+Edit policy for Spaces could happen within the Space configuration itself (e.g. explicitly listing the specific members of a team which has a dedicated Space). As I didn't take that into account.
So given the custom global "Can Edit Task Policy" (allowed to members of Security, SRE, importbots, #acl*fr_policy_admins; those four projects have a "Joinable By" policy restricted to admins or ops):
It looks like the way to set up Spaces is to not directly list each individual member in the Space's policy, but to still define an #acl*teamXYZ project with restricted "Joinable By" and "Editable by". After project creation, "allow members of #acl*teamXYZ" will be set as "Viewable By" and "Editable By" for the new corresponding Space, plus "allow members of #acl*teamXYZ" is also added to https://phabricator.wikimedia.org/applications/edit/PhabricatorManiphestApplication/ (global level).
Need to check that again & hope that was understandable - getting late here.
I think that's about right, yeah...
https://secure.phabricator.com/book/phabricator/article/spaces/ explains things just a bit.
- Created #acl*communityliaison_policy_admins project. Added CL members as members. Set "Joinable By" to administrators. Set "Editable by" to "Custom Policy: @Rdicerb and administrators" (which should allow Rachel to edit members). Had to add myself as a (temporary) member to be technically able to perform the next step:
- Set S2's "Visible To" and "Editable By" to "members of project #acl*communityliaison_policy_admins"
- Not fully sure yet about the consequences of adding "members of project #acl*communityliaison_policy_admins" to Phab's global "Can Edit Task Policies" and if that means anything apart from displaying two more dropdown menus to the CL members when it comes to Security/Operations task but I think not (I need more coffee).
Added "members of project acl*communityliaison_policy_admins" to Phab's global "Can Edit Task Policies" and tested with my private @Malyacko account which was temporarily a member of that group. So this should™ be working now. Will close after a test with a CL/CEP team member (and announcement email to CL folks).
Tested with quiddity on IRC, this seems to work. Closing as fixed.
Also sent email to cep@.
Recommended documentation read (as it ain't easy): https://www.mediawiki.org/wiki/Phabricator/Creating_and_renaming_projects#Restricting_access_via_Space_policies
Not fully sure yet about the consequences of adding "members of project acl*communityliaison_policy_admins" to Phab's global "Can Edit Task Policies" and if that means anything apart from displaying two more dropdown menus to the CL members when it comes to Security/Operations task but I think not (I need more coffee).
Which will give them the technical ability to turn security/other-confidential tasks public.
Yeah, but only if they have already access to such a task anyway. Hence I don't see an issue.
Based on the mess at T109810, I'm not convinced you did check what they needed in terms of being able to include others.
@Krenair: See existing documentation (that was also pointed to the CL team when announcing their Space on their mailing list): "If a user cannot see a space, the user can never see objects inside the space either, even if they are author, assignee or subscriber of the task in that space. (To allow users which are not member of the space to view or edit an object in the Space, a Custom Policy needs to be applied on the object instead of a Space.)"
If you think that's unclear, please explain how to improve it (or just do it).