Page MenuHomePhabricator

Upcoming: Personal Herald Rules No Longer Semi-Private
Closed, ResolvedPublic


IMPORTANT: Today, personal Herald rules are "somewhat" private. In the near future, we are making a change so that they are no longer private: other users will be able to browse and examine your personal Herald rules.

The current behavior is inconsistent and somewhat confusing, prevents a few reasonable things from happening, and serves no real purpose that we're aware of. It works like it does for legacy reasons and because we're generally very hesitant to remove policy barriers that users may expect to be protecting private information.

There is some more detailed discussion in T9410. Briefly:

  • Today, users can see the effects of personal rules in the transcript (all the conditions that evaluated, any effects which occurred), but not the actual rules.
  • Today, users can also see almost all effects of Herald rules (like adding subscribers and reviewers) when they apply (you can always see that "Herald added subscribers: ..." to your revision).
  • However, you can't view the actual rule at /Hxxx, even though you can see almost all of it in any transcript, and almost always see its effects if it's relevant.
  • Since you can effectively see most of the content of rules in most cases, rules aren't meaningfully private today anyway.
  • Making them quasi-private is confusing and somewhat inconsistent (as in T9410) and prevents useful things like looking at someone else's rule to write a similar one, sharing a rule you've made, or checking if a rule looks right for someone.

To resolve and simplify this, we're going to make personal rules public (like object and global rules currently are). This means:

  • Other users will be able to view the content of your personal rules by browsing to the /Hxxxx rule detail page.

This will hit stable no earlier than August 12th. If we're missing use cases where this distinction is important and should consider this change more carefully, please let us know.

We're generally very cautious about making changes which lower privacy barriers -- it's scary to update Phabricator and have policies weaken in unexpected ways, and leaking sensitive information is potentially even worse than destroying it. This is an exceptional case where the policy barrier is ineffective anyway and serves no practical or conceivable purpose that we're aware of.

Event Timeline

Great and very helpful change, thank you!

How will actually the global and personal rules differ then, please? Or is there going to be a single scope of rules only?

Primarily, global rules bypass access control policies. They can also apply different actions.

Specifically, after this change (and mostly before this change):

Global rules:

  • can be viewed by any user;
  • can only be created and edited by users with the "Can Manage Global Rules" application permission in Herald;
  • bypass all access policies; and
  • can take global actions (add any user as a subscriber, run builds, etc).

Object rules:

  • can be viewed by any user;
  • can only be created or edited by users who can edit the target object;
  • bypass all access policies (but only apply to objects related to the target object);
  • can take global actions (add any user as a subscriber, run builds, etc).

Personal rules:

  • can be viewed by any user;
  • can only be edited by the author;
  • use the access policies of the author;
  • can only take personal actions (add author as subscriber, send email to author, mark with flag, etc).

Thank you for exhaustive description. One more question:

"Personal rules can only be edited by the author"

Always, or can their author set the edit policy to allow others as well? Also how about archiving/re-enabling?
Background: User sets some rule, then leaves Phabricator and is no longer available, but the rule needs to be disabled or changed...

Personal Herald rules do not run for disabled users, so disabling a user will disable all of their personal rules.

Administrators can destroy rules with bin/remove destroy Hxxx.

It's possible that we may allow administrators to disable personal Herald rules from the web UI in the future (similar to the planned capability in T7593 to let them disable files) but this doesn't seem to be coming up too often in general. I would probably want to make Herald email rule owners when an administrator disabled their rules, too. Some vague entanglement with T8635, T10448, etc.

epriestley claimed this task.

This has promoted to stable and doesn't seem like a contentious change so I don't currently anticipate any need to keep this open or revisit it.