Moving our procurement process into phabricator requires a few things. This task will outline the proposed workflow for a procurement task, and the relevant security settings.
Workflow:
* User creates a #hardware-request task for the hardware.
* If hardware needs to be ordered, Rob creates a procurement task for each quote/vendor combination.
* Example: We need a new database system on task A (hardware-request). Then we create Task B in the procurement project for Dell quote, and Task C in the procurement project for HP quote.
* Rob deals with Dell on Task B, they email back with quotes and options.
* Rob deals with HP on Task C, they email back with quotes and options.
* Ops determines which specification/quote to go with, and escalation of the task begins for approvals.
* Task for approval has to be viewed by Mark, and possibly Damon or Lila for approvals. Mark tends to comment on task, where Damon and Lila will likely email their approval back into task.
* Once order is placed, the procurement task is assigned to the on-site tech to scan the packing slip.
* On-site receives in order, and resolves the task with relevant details and resolves. If there are issues, onsite notes issues and assigns back to Rob.
* Procurement project task has to be able to directly email to task T###@phabricator.wikimedia.org
* Procurement project task has to be locked down by view/read/edit/everything to ONLY #wmf-nda.
* Any email attachments into task should automatically have security settings applied to ONLY be viewable to #wmf-nda. (This is the default behavior).
* Volunteers shouldn't interact with the tasks, so #wmf-nda is required to ensure only the ones who signed an NDA can view. Unfortunately we don't keep a staff list in phab, so NDA is the tightest we can lock it down without managing a new group.
* ALL procurement tasks should have the Security drop-down set to 'other confidential issue'. The details on what this does are [[http://www.mediawiki.org/wiki/Phabricator/Security#Understanding_.27Security.27_Field_Transforms | here]]. Basically it will simply ensure we don't accidentally set the task to public or non-nda-viewable. As these are vendor quotes, this is mandatory.
I (@RobH) dislike that there are the two steps needed here, putting in procurement + the other issue selection in the drop down, but the only alternative I can think of is adding a 'procurement' in the security drop down. After chatting with @chasemp, he pointed out that doing that is a larger usability issue, and likely will result in some confusion. Since procurement is such a small, small subset of our overall phabricator userbase, it is better that we (myself and whoever else processes these) take that extra step rather than the alternative presented.
Task creation steps & tests :
[x] - generate a new procurement task & ensure its creation doesn't leak private info.
* T94507 was successfully created and has all proper permissions. When created, it was set with the 'other confidential issue' in the security drop down.
[] - email an attachment into the task & ensure its attachment isn't viewable to anyone not in the NDA group.
* currently failing, as the attachment is not made private, but public.
[] - test if someone not a memer of wmf-nda can be added/subscribed/assigned to a procurement task (this tests the security drop down more than #procurement)