Page MenuHomePhabricator
Create Task
Maniphest T12449

Cannot set access control for creating new Maniphest forms
Closed, ResolvedPublic
Actions

Description

As an administrator, I cannot use the "Create form" button on https://(hostname)/transactions/editengine/maniphest.task/page -- it reports "You do not have permission to create these objects." I cannot edit existing forms; it reports "You do not have access to any forms which are enabled and marked as edit forms." I can, however, modify the order in which the existing forms are presented.

I cannot find the location to change the access control to allow me to edit the forms. https://(hostname)/applications/view/PhabricatorManiphestApplication/ has permissions all set to "All users" or "Administrators", so I satisfy all of those. https://(hostname)/applications/view/PhabricatorTransactionsApplication/ similarly.

A fresh Phabricator instance appears to grant me the ability to create new forms, so this is a permission which has degraded during an upgrade, or is otherwise squirrelled away someplace I do not know to look.

Phabricator version is 216f6be11ece53cb1daafc8fff636dbdb0d7ef3d with likely irrelevant modifications.
cc @ahoffer2

Event Timeline

alexmv created this task.Mar 24 2017, 9:22 PM
epriestley added a subscriber: epriestley.Mar 24 2017, 9:25 PM

DO YOU HAVE ACCESS TO FORMS FOR CONFIGURING FORMS?!

formforms.png (1×1 px, 163 KB)

HA HA HA HA HA HA HA HA HA

epriestley added a comment.Mar 24 2017, 9:27 PM

A MARVEL OF ACADEMIC PURITY, EDITENGINE PUSHES THE BOUNDARIES OF ADVANCED FORM THEORY TO NEW DEPTHS

alexmv added a comment.Mar 24 2017, 9:34 PM

I do now see that, but I'm unclear how to use its form to configure the form to configure the form to configure the form from.

Screenshot 2017-03-24 14.28.46.png (405×1 px, 54 KB)

epriestley added a comment.Mar 24 2017, 9:36 PM

Can you click that link, then "Enable Form"? Or do you get some kind of error?

It looks like someone might have accidentally customized and then disabled the form-configuring form when they meant to do something with a task form.

epriestley added a comment.Mar 24 2017, 9:38 PM

If you can't enable that form, you might need to go hunt it down in the database and manually enable it (or tell me what you hit and we'll fix it if it's a bug).

Once that form is enabled, you should be able to use it (indirectly) to create and edit forms for Maniphest, although it's possible you'll need to revert changes which were made to it if someone locked/hid all the fields or whatever.

epriestley added a comment.Mar 24 2017, 9:43 PM

I think there is also zero legitimate reason for the form-configuring-form to be editable and this entire workflow essentially represents a trap for the unwary.

alexmv added a comment.Mar 24 2017, 10:46 PM

Enabling that form seems to have done the trick -- thanks! Since it got renamed at some point from "Create form," its existence was almost certainly confusing to some previous admin, which is what got us into this.

Is there an ACL I can apply to prevent people from creating new create forms? Or to prevent users from disabling the form form?

epriestley added a comment.Mar 24 2017, 10:50 PM

You can edit the "Create Form" form and change "Visible To:" to "Members of Project: Doctorate in Form Theory". Then only members of that project will be able to create other forms or edit the form form, I believe.

(Administrators who are not members of "Doctorate in Form Theory" can still make edits to other forms which don't require the Form-Form, like reordering fields, but that's probably fine? Or at least less problematic?)

epriestley added a comment.Mar 24 2017, 10:53 PM

(In the longer term, the permissions here could probably be cleaned up, but I think that's the cleanest fix without upstream changes.)

epriestley closed this task as Resolved.Mar 25 2017, 1:09 AM
epriestley claimed this task.

I'm going to presume this is approximately resolved.

If you'd like to see more permissions, feel free to file a followup describing your use case in more detail (e.g., what class of administrators do you not trust, and why are they administrators?). I think we're broadly open to adding more permissions here (for example, a "Can Manage Forms" permission, and/or making "Can Manage Application" permission mutable per-application, and/or letting you open up whatever admin-only thing you're making users admins for) but don't want to just add 300 new permissions for the heck of it without a better understanding of how permissions are being split up.

Phabricator · Built by Phacility