We need a short term plan for private tasks fully agreed by @csteipp and the #Phabricator team. Currently we have a system that works and several open issues. Before attempting to solve the issues one by one, we need to be on the same page with the overall plan.
Steps:
# Collect all the affected tasks as blocked tasks.
# Write down a description of the current implementation and the aspects that need to be improved.
# Sit down, discuss and edit until we have a common plan.
Then we will proceed resolving the tasks accordingly.
| Feature | Implementation | Expectation | Happy with current implementation |
| ---------- | ---------------------| --------------| -------|
| Making a task private | Security dropdown sets access control template via Herald | {T517} | As an interim solution yes. As a definitive solution, maybe not. Upstream plans to work on [[ https://secure.phabricator.com/T3820 | Spaces ]]. |
| Associating projects to private tasks | Security extension strips any project other than "Security" | Possibility to add projects | No |
| {T475} | Yes | Yes | Yes |
| Access for authors of Bugzilla migrated private tasks | No | Yes | No |
| {T518} | Security extension strips any users CCed manually? Is [[ https://phabricator.wikimedia.org/T518#9157 | this description ]] verified? If you want to CC other users you need to set the task policy manually out of the template. | Users in the security group should be able to add external users. External users CCed not being able to add other external users is fine (right?) | No |
| Access for CCed users in Bugzilla migrated tasks | Security extension stripped any users not in the Security group | CCed users that had access in Bugzilla should have it in Phabricator | No |
| Files uploaded directly to a private task inherit private policy | Yes? | Yes | Yes? |
| Thumbnails of private images should be private | No, it would take a big performance hit and with such small size doesn't disclose anything. You need to know the exact URL of the thumbnail. Upstream agrees. | At the beginning yes, but now maybe not? | Maybe yes? |