Page MenuHomePhabricator

Community Liaison project/space for private tasks
Closed, ResolvedPublic

Description

Some of CL information is under wraps or embargoed for brief amounts of time.

Related Objects

StatusAssignedTask
ResolvedQgil
ResolvedQgil
ResolvedQgil
Resolved RobLa-WMF
ResolvedQgil
ResolvedDzahn
ResolvedQgil
ResolvedAklapper
Invalidmmodell
Resolvedmmodell
Resolvedmmodell
DeclinedQgil
ResolvedAklapper
ResolvedQgil
ResolvedRobH
ResolvedAklapper
ResolvedAklapper
ResolvedAklapper
ResolvedAklapper
ResolvedAklapper
DeclinedAklapper
ResolvedQgil
Resolvedchasemp
Resolvedchasemp
Resolvedchasemp
Resolvedchasemp
Resolvedchasemp
Resolvedchasemp
ResolvedQgil
Resolvedgpaumier
ResolvedAklapper
ResolvedDzahn
ResolvedDzahn
DeclinedNone
ResolvedRobH
DuplicateRobH
Declinedmmodell
Duplicatemmodell
ResolvedQgil
Resolvedmmodell
ResolvedSpringle
ResolvedNone
Resolvedmmodell

Event Timeline

Rdicerb assigned this task to Aklapper.
Rdicerb raised the priority of this task from to Needs Triage.
Rdicerb updated the task description. (Show Details)
Rdicerb added a subscriber: Rdicerb.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 26 2015, 10:22 PM
Qgil renamed this task from Private project requested to Community Liaison private project .Mar 26 2015, 10:25 PM
Qgil added a project: Project-Admins.
Qgil set Security to None.

@Rdicerb can you add some more detail? I don't understand what the goal of this task is yet but I'm wondering if you are misunderstanding what a private project is at this point in Phabricator.

Qgil added a subscriber: Qgil.EditedMar 26 2015, 11:11 PM

Rachel is asking for a setup like Fundraising Tech's private tasks. We discussed this in a conversation a couple of weeks ago.

Following up?

Qgil removed Aklapper as the assignee of this task.Apr 6 2015, 5:24 PM

So this is about replicating T88762

@Rdicerb, in any case https://www.mediawiki.org/wiki/Phabricator/Creating_and_renaming_projects#New_projects still applies, since you will need a new project only to handle these private tasks. Please provide the information requested.

Aklapper triaged this task as Normal priority.Apr 7 2015, 4:47 PM
Elitre added a subscriber: Elitre.Apr 14 2015, 1:12 PM
Qgil changed the status of subtask T823: Implement Phabricator Spaces from Stalled to Open.May 12 2015, 7:03 AM
Krenair renamed this task from Community Liaison private project to Community Liaison project for private tasks.Jun 13 2015, 7:08 PM
Krenair updated the task description. (Show Details)
Krenair changed the task status from Open to Stalled.Jun 13 2015, 7:41 PM

Stalled on requestor

Aklapper changed the task status from Stalled to Open.Jul 18 2015, 10:28 PM
Aklapper claimed this task.
Aklapper added a project: ECT-August-2015.EditedJul 31 2015, 5:34 PM
Aklapper added subscribers: Malyacko, mmodell.

I created S2 for Community Liaisons and created documentation but it is not working as expected yet. Meh.

I have added my private account @Malyacko to "Can View" and "Can Edit" of the Space S2 in this production instance but for reasons I do not get, there is no Spaces dropdown shown on https://phabricator.wikimedia.org/maniphest/task/create/ for my private user. It IS shown for my admin account @Aklapper however in production.
It works on phab-01.wmflabs.org of course where I'm admin as @AndreTest and a normal user as @AckoS3 (and "Can View" should be sufficient anyway, "Can Edit" should not be needed, as seen on phab-01).

I don't see any Spaces related stuff in https://phabricator.wikimedia.org/config/all/ either that could be a simple settings difference between phab-01 and production.

Comparing https://phabricator.wikimedia.org/applications/view/PhabricatorSpacesApplication/ and https://phab-01.wmflabs.org/applications/view/PhabricatorSpacesApplication/ there is no difference, except for phab-01 stating "This application is a prototype." (which makes me wonder how different the age of the two codebases is).

I'm really puzzled here and would welcome another pair of eyes (@chasemp, @mmodell).

mmodell added a comment.EditedJul 31 2015, 6:28 PM

I don't see any space S2? @Aklapper: are you sure you created a space? Is it just that my account can't see it?

I don't see any space S2? @Aklapper: are you sure you created a space? Is it just that my account can't see it?

Ah sorry. I now temporarily added @mmodell and @chasemp (both Phab admins) to the "Can View" Policy of S2. When it comes to "Can Edit", the settings already allows admins to edit the space.

Ok maybe it's this: https://phabricator.wikimedia.org/applications/edit/PhabricatorManiphestApplication/

"Can Edit Task Policy" is set to a custom policy, I bet editing the "space" dropdown on tasks requires that you are allowed to edit the task policy.

You're making a space? I don't think that's a FR tech-like setup. Have you asked CL about what they actually need in terms of being able to include other people? Why is WMF-NDA insufficient?

Qgil added a comment.Jul 31 2015, 7:30 PM

I had discussed this case with @Rdicerb and the Community-Relations-Support team. A significant percentage of their work involves information that is either not public yet (early drafts, coordinated announcements...) or that it will never be public (conflicts and such). Before Phabricator the team handled most of their work privately, with Phabricator they have moved part of their work here, but they are still splitted tracking tasks in two very different ways. An own space will allow them to handle their public and private work with a single tool.

Yeah, that's the case. Sorry it's a bit of a pain to manage! I might have a little time next week to try to help work it out.

@mmodell is right. Thanks a lot for finding that.

Originally I thought that maintaining the View+Edit policy for Spaces could happen within the Space configuration itself (e.g. explicitly listing the specific members of a team which has a dedicated Space). As I didn't take that into account.

So given the custom global "Can Edit Task Policy" (allowed to members of Security, Operations, importbots, #acl*fr_policy_admins; those four projects have a "Joinable By" policy restricted to admins or ops):
It looks like the way to set up Spaces is to not directly list each individual member in the Space's policy, but to still define an #acl*teamXYZ project with restricted "Joinable By" and "Editable by". After project creation, "allow members of #acl*teamXYZ" will be set as "Viewable By" and "Editable By" for the new corresponding Space, plus "allow members of #acl*teamXYZ" is also added to https://phabricator.wikimedia.org/applications/edit/PhabricatorManiphestApplication/ (global level).

Need to check that again & hope that was understandable - getting late here.

@mmodell is right. Thanks a lot for finding that.
Originally I thought that maintaining the View+Edit policy for Spaces could happen within the Space configuration itself (e.g. explicitly listing the specific members of a team which has a dedicated Space). As I didn't take that into account.
So given the custom global "Can Edit Task Policy" (allowed to members of Security, Operations, importbots, #acl*fr_policy_admins; those four projects have a "Joinable By" policy restricted to admins or ops):
It looks like the way to set up Spaces is to not directly list each individual member in the Space's policy, but to still define an #acl*teamXYZ project with restricted "Joinable By" and "Editable by". After project creation, "allow members of #acl*teamXYZ" will be set as "Viewable By" and "Editable By" for the new corresponding Space, plus "allow members of #acl*teamXYZ" is also added to https://phabricator.wikimedia.org/applications/edit/PhabricatorManiphestApplication/ (global level).
Need to check that again & hope that was understandable - getting late here.

I think that's about right, yeah...

https://secure.phabricator.com/book/phabricator/article/spaces/ explains things just a bit.

Aklapper raised the priority of this task from Normal to High.Aug 3 2015, 7:58 PM
  • Created #acl*communityliaison_policy_admins project. Added CL members as members. Set "Joinable By" to administrators. Set "Editable by" to "Custom Policy: @Rdicerb and administrators" (which should allow Rachel to edit members). Had to add myself as a (temporary) member to be technically able to perform the next step:
  • Set S2's "Visible To" and "Editable By" to "members of project #acl*communityliaison_policy_admins"
  • Not fully sure yet about the consequences of adding "members of project #acl*communityliaison_policy_admins" to Phab's global "Can Edit Task Policies" and if that means anything apart from displaying two more dropdown menus to the CL members when it comes to Security/Operations task but I think not (I need more coffee).

Added "members of project acl*communityliaison_policy_admins" to Phab's global "Can Edit Task Policies" and tested with my private @Malyacko account which was temporarily a member of that group. So this should™ be working now. Will close after a test with a CL/CEP team member (and announcement email to CL folks).

Aklapper renamed this task from Community Liaison project for private tasks to Community Liaison project/space for private tasks.Aug 5 2015, 12:13 PM
Aklapper closed this task as Resolved.Aug 5 2015, 5:57 PM

Tested with quiddity on IRC, this seems to work. Closing as fixed.
Also sent email to cep@.

Recommended documentation read (as it ain't easy): https://www.mediawiki.org/wiki/Phabricator/Creating_and_renaming_projects#Restricting_access_via_Space_policies

Not fully sure yet about the consequences of adding "members of project acl*communityliaison_policy_admins" to Phab's global "Can Edit Task Policies" and if that means anything apart from displaying two more dropdown menus to the CL members when it comes to Security/Operations task but I think not (I need more coffee).

Which will give them the technical ability to turn security/other-confidential tasks public.

Which will give them the technical ability to turn security/other-confidential tasks public.

Yeah, but only if they have already access to such a task anyway. Hence I don't see an issue.

Based on the mess at T109810, I'm not convinced you did check what they needed in terms of being able to include others.

Based on the mess at T109810, I'm not convinced you did check what they needed in terms of being able to include others.

@Krenair: See existing documentation (that was also pointed to the CL team when announcing their Space on their mailing list): "If a user cannot see a space, the user can never see objects inside the space either, even if they are author, assignee or subscriber of the task in that space. (To allow users which are not member of the space to view or edit an object in the Space, a Custom Policy needs to be applied on the object instead of a Space.)"

If you think that's unclear, please explain how to improve it (or just do it).