Page MenuHomePhabricator - TEST only
Create Task
Maniphest T273

test task only editable by #Task-Editors & the task creator
Open, Needs TriagePublic
Actions

Description

If anyone would like to see what this sort of 'edit policy' does/doesn't restrict non-members of the Task-Editors group from doing, feel free to add/remove yourselves from that group & then take any actions on this test task.

Details

Security
None
Risk Rating
N/A
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Custom favicon for phabricator.wikimedia.orgphabricator/phabricatorproduction+0 -0
Customize query in gerrit

Related Objects

Mentioned In
Task-Editors

Event Timeline

a_smart_kitten__test created this task.Sun, Mar 15, 4:13 AM
a_smart_kitten__test created this object with visibility "Public (No Login Required)".
a_smart_kitten__test created this object with edit policy "Restricted Project (Project)".
a_smart_kitten__test2 awarded a token.Sun, Mar 15, 4:14 AM
a_smart_kitten__test2 subscribed.

(this _test2 account is not currently in the #pseudo-trusted-contributors project)

a_smart_kitten__test renamed this task from test task only editable by pseudo-trusted-contributors to test task only editable by pseudo-trusted-contributors & the task creator.Sun, Mar 15, 4:24 AM
a_smart_kitten__test changed the edit policy from "Restricted Project (Project)" to "Custom Policy".
a_smart_kitten__test renamed this task from test task only editable by pseudo-trusted-contributors & the task creator to test task only editable by #Task-Editors & the task creator.Sun, Mar 15, 4:54 AM
a_smart_kitten__test mentioned this in Task-Editors.
a_smart_kitten__test updated the task description. (Show Details)
a_smart_kitten__test changed the edit policy from "Custom Policy" to "Custom Policy".
a_smart_kitten__test2 added a comment.Sun, Mar 15, 5:00 AM

note to self: one thing is that this would appear to prevent non-members of Task-Editors from claiming tasks as well (which might in turn mean that new developers then couldn’t assign a task to themselves)

Pppery subscribed.Mon, Mar 16, 6:20 PM

Another idea might be to restrict what forms you can use to edit. I think you could allow claiming a task that way while disallowing some other edits.

a_smart_kitten__test added a comment.Tue, Mar 17, 7:55 PM

True, though that wouldn't restrict malicious actors from being able to edit via the API if they wanted to (as documented e.g. at https://we.phorge.it/book/phorge/article/forms/#use-case-security-issues:~:text=regardless%20of,Conduit%20API).

I am not sure whether / to what extent restricting the available forms may also (be able to) restrict what actions someone is able to take using the "Add Action..." dropdown. I would have to check.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits