We need a short term plan for private tasks fully agreed by @csteipp and the #Phabricator team. Currently we have a system that works and several open issues. Before attempting to solve the issues one by one, we need to be on the same page with the overall plan.
Steps:
# Collect all the affected tasks as blocked tasks.
# Write down a description of the current implementation and the aspects that need to be improved.
# Sit down, discuss and edit until we have a common plan.
Then we will proceed resolving the tasks accordingly.
| Feature | Implementation | Expectation | Happy with current implementation |
| ---------- | ---------------------| --------------| -------|
| Making a task private | Security dropdown sets access control template via Herald | {T517} | As an interim solution yes. As a definitive solution, maybe not. Upstream plans to work on [[ https://secure.phabricator.com/T3820 | Spaces ]]. |
| Associating projects to private tasks | Yes | Yes | Yes |
| {T475} | Yes | Yes | Yes |
| Access for authors of Bugzilla migrated private tasks | Only after the task is updated | Yes | Yes, by now most issues are updated, and if there is any remaining updating it is easy. |
| {T518} | Security extension strips any users CCed manually?External users CCed receive notifications but they cannot view or edit the tasks. Any exceptions need to be handled out of the Security template. Is [[ https://phabricator.wikimedia.org/T518#9157 | this description ]] verified?| Yes | No, and this is the biggest problem currently. If you want to CC other uUsers you need to set the task policy manually out of the templateCCed must be able to view and edit. | Users inChanging the security group should be able to add external userspolicy manually is causing extra work for @csteipp. External users CCed not being able to add other external users is fine (right?) | No |It's considered a regression from the situation we had in Bugzilla. |
| Access for| CCed users in Bugzilla migrated tasks | Probably the same as above after the task is updated.can add other CCed users | No, | The same as above | No,by design. and this is the biggest problem currently.| Yes, Users CCed must be able to view and edit.as we could in Bugzilla | No, Changing the policy manually is causing extra work for @csteippalthough this is not as urgent/important as CCed users not being able to view/edit. It's considered a regression from the situation we had in Bugzilla. External users being able to CC other external users is also desirable,|
| Access for CCed users in Bugzilla migrated tasks | Probably the same as above after the task is updated. but less relevant.| Same as above | No, same as above |
| Files uploaded directly to a private task inherit private policy | Yes? | Yes | Yes, no problems found so far. |
| Thumbnails of private images should be private | No, it would take a big performance hit and with such small size doesn't disclose anything. You need to know the exact URL of the thumbnail. Upstream agrees. | Yes | No, this is a requirement we also have for MediaWiki, and we are paying the performance penalty there as well. @csteipp is happy to put us in touch with the colleagues that fixed this in MediaWiki. Not urgent, but it needs to be a goal in our plans. |