Support permissions/policies in all Phabricator applications
Closed, ResolvedPublic

Assigned To
epriestley
Priority
High
Author
Cobi
Blocks
Restricted Task
Restricted Task
Restricted Task
T2795: Phacility (Mid Priority)
Restricted Task
T182: Commit into repository directly from differential
Blocked By
T3820: Build JIRA-like "Namespaces" for putting global, default-deny walls around groups of unprivileged users
Restricted Task
Restricted Task
Restricted Task
Differential Revisions
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Restricted Revision
Commits
D7343 / rP0b22777f68e7: Remove UI warnings about policies being a janky mess
D7342 / rP5171e3684c58: Require application "Can Use" capability to call Conduit methods
D7334 / rP95c2b03fc8e5: Distinguish between invalid/broken handles and filtered handles
D7322 / rP3410cbd53ee8: Add application and object level policy controls to Countdown
D7321 / rPe381022bc762: Provide application and object level policy controls in Slowvote
D7317 / rP8c1c6fec5ac9: Modernize policies in Paste and Macro
D7318 / rP197d3817bc57: Give disabled crumb actions a distinct visual style
D7300 / rP76dfeb95ba17: Allow "Custom" policies to be selected in the policy control
D7314 / rP3a4c08d7f11a: Simplify custom policies before saving, and reject meaningless policies
D7306 / rP073cb0e78c01: Make PhabricatorPolicyInterface require a getPHID() method
D7309 / rPc4abf160cc51: Fix some file policy issues and add a "Query Workspace"
D7310 / rP502c6f2d4816: Render public content as "Public" in headers, not "Public (No Login Required)"
D7299 / rP13178ec2792b: Prepare the policy rule edit endpoint for integration
D7298 / rP5e5b7576a675: Make PhabricatorPolicyQuery a CursorPagedPolicyAwareQuery
D7297 / rP7364a3bedd5d: Add some missing strings for custom policies
D7296 / rP6c1b00fa40ce: Rename ACTION_ACCEPT into ACTION_ALLOW
D7303 / rP67cca8f7fa14: Fix breadcrumbs for login screen triggered when a logged-out user fails a…
D7292 / rP67b17239b8e6: Allow custom policies to be loaded and exeucuted by the policy filter
D7289 / rP130a15b51bf5: Highlight the currently selected policy in the policy dropdown control thing
D7285 / rP5af031ec9bcb: Make the policy control a JS dropdown with icons
D7282 / rP5899ae08b32b: Add storage for custom policies
D7278 / rPc39b10aa7a56: Fix non-public capabilities in Application edit
Restricted Revision / rPf4582dc49d8d: Allow "Default View" policies to be set to Public
Restricted Revision / rP11fbd213b105: Custom Policy Editor
Restricted Revision / rP436a40335723: Add a "default view" policy to Differential
Restricted Revision / rP650dc0cc302b: Remove the "create rules" Herald capability
Restricted Revision / rP1ee455c441a1: Add defualt view and default edit policies for tasks
Restricted Revision / rP3147a6ca5709: Improve messaging of special policy rules in applications
Restricted Revision / rP45f38c549b65: Use header status/policy elements in Applications meta-application
Restricted Revision / rP7a97a71e2002: Move Herald application capabilities to newer infrastructure
Restricted Revision / rPb1b1ff83f239: Allow applications to define new policy capabilities
Restricted Revision / rP68c854b9673e: Remove dead `rejectImpossiblePolicy()` method
Restricted Revision / rP2abbd518684a: Don't raise a policy exception if a user can't see the parent revision of a new…
Restricted Revision / rP953ff197bf26: Allow Herald rules to be disabled, instead of deleted
Restricted Revision / rP515f9a36ab7a: When editing objects which use files, attach the files to the objects
Restricted Revision / rPc587b8a9c8fb: Remove `ProjectProfile->loadProfileImageURI()`
Restricted Revision / rP80f6d0094041: Remove PhabricatorProject->loadProfile
Restricted Revision / rP64e4b3aef449: Remove loadMemberPHIDs from PhabricatorProject
Restricted Revision / rPe6d8e1a00ac4: Make Herald rules obey policies during application
Restricted Revision / rPee4bdb501b9b: Make Herald transcripts policy-aware
Restricted Revision / rPc8127edfe9a8: Tighten up some policy interactions in Herald
Restricted Revision / rPa600ab77316f: Prevent administrators from locking themselves out of applications
Restricted Revision / rPHUd72b0f90af7d: Add PhutilLunarPhase, for computing phases of the moon
Restricted Revision / rPa6c4117ec434: Fix controller-level access rules
Restricted Revision / rPc830461b00a0: Allow application policies to be edited
Restricted Revision / rP6100906273eb: Support unlocking applications with bin/policy
Restricted Revision / rP0d83e1d66fee: If a user can't see an application, prevent them from using its controllers
Restricted Revision / rPf75c13b987c7: Use ApplicationSearch in Applications application
Restricted Revision / rP901bdda6b157: Use a policy-aware query in PhabricatorSearchSelectController
Restricted Revision / rP742d45b625d1: Modernize file embed Remarkup rule
Restricted Revision / rPaac490180f30: Write "attach" edges when files are attached to objects via comment or other…
Restricted Revision / rP1d1ecb562952: Add `bin/policy unlock`
Restricted Revision / rP4dfdd0d3167d: Treat invalid policies as broadly similar to "no one"
Restricted Revision / rP98bf001a58a3: Add `viewPolicy` and `attachedToObjectPHID` to PhabricatorFile
Restricted Revision / rP472be5e26e6a: Provide an attached-to-visible-object policy exception for files
Restricted Revision / rPca7a7927948b: Convert `bin/files` to ObjectQuery
Restricted Revision / rPdd206a5b69d5: Viewerize ArcBundle file loading callbacks
Restricted Revision / rP13dae0519368: Make most file reads policy-aware
Restricted Revision / rPe2ed52735387: Add a very simple `bin/policy` script for CLI policy administration
Restricted Revision / rP2d5b59b40108: Move policy config to "Policy" app and make `policy.allow-public` description…
Restricted Revision / rPefc837318485: Show "Search" in menubar while logged out if users can access it
Restricted Revision / rP7f0d0e4e6cc0: Make more Diffusion controllers/views capability-sensitive
Restricted Revision / rP2e5ac128b3ee: Explain policy exception rules to users
Restricted Revision / rP5799e8e2de67: Provide better strings in policy errors and exceptions
Restricted Revision / rPe0f99484ac91: Make Differential views capability-sensitive
Restricted Revision / rP874a9b7fe3f8: When creating or updating a revision, infer the repository from the diff
Restricted Revision / rP3d354d205fbf: Allow editPolicy, viewPolicy, and repositoryPHID to be edited from the web UI…
Restricted Revision / rP9b3d7b0dbaad: Make most Differential reads policy-aware
Restricted Revision / rP80378eb5f6a8: Show policy information in Differential header
Restricted Revision / rPd61c931c7b38: Use Differential policy columns to drive policies
Restricted Revision / rP79abe6653e89: Remove PhabricatorRepository::loadAllByPHIDOrCallsign()
Restricted Revision / rPc458517cb4fe: Add viewPolicy, editPolicy, repositoryPHID columns to DifferentialRevision
Restricted Revision / rPc467cc464fb5: Make most repository reads policy-aware
Restricted Revision / rP1e2718d747e8: Make Maniphest list page react to viewer capabilities
Restricted Revision / rP800f6971bbf3: Make Maniphest detail page react to viewer capabilities
Restricted Revision / rPc7f105ac0e4b: Allow task policies to be edited from the UI; show policy information on the…
Restricted Revision / rP3a87a95e119b: Use ManiphestTaskQuery in nearly all interfaces
Restricted Revision / rP36343600c5c7: Remove obsolete code from ManiphestTaskQuery
Restricted Revision / rP225a38c7d36a: Add viewPolicy, editPolicy storage to tasks
Restricted Revision / rPd63789e4b2a0: Allow repository policies to be edited
Restricted Revision / rPa09616858b11: Use RepositoryQuery along common pathways
Restricted Revision / rPe7a7e43104bc: Fix a bug where policy queries with cursor-based pagers and non-ID orders can…
Restricted Revision / rPb558e1b4a4eb: Remove ManiphestTaskListController
Restricted Revision / rPb902005bed52: Kill PhabricatorObjectDataHandle
Restricted Revision / rP07b8becfc6d5: Policy - introduce parentQuery and pass around policy configuration from parent…
Restricted Revision / rPe8142915269a: Introduce ManiphestTaskSearchEngine plus ManiphestTaskListControllerPro
Restricted Revision / rP1e42c62b8f5c: Make ManiphestTaskQuery a (mostly) policy-aware query
Restricted Revision / rPa2571de575c0: Remove obsolete/deprecated withTaskIDs() / withTaskPHIDs()
Restricted Revision / rP1f86c7342881: Simplify policy filtering for projects and ObjectQuery
Restricted Revision / rPe625c91867ec: Pass viewer to all ManiphestTaskQuery objects
Restricted Revision / rP275f67294cc7: Make Flags policy aware
Restricted Revision / rP8eed5b1f1449: Make HeraldRule implement PhabricatorPolicyInterface
Restricted Revision / rPc5a06a624a44: Use application PHIDs for mailing lists
Restricted Revision / rPd2e5afb0959c: Use application PHIDs in Releeph, plus more
Restricted Revision / rP0630ffffaa75: Use ApplicationSearch in Slowvote
Restricted Revision / rP9be755ab127e: Add PhabricatorSlowvoteQuery
Restricted Revision / rP64cc0ce1287f: Add "Visible To" property fields for diffs and revisions
Restricted Revision / rP6aee862bbe6a: Use ApplicationSearch in Differential
Restricted Revision / rP3ec4984f27cd: Use cursor-based paging in Differential
Restricted Revision / rP0c2e38e81c9c: Make DifferentialRevisionQuery policy-aware
Restricted Revision / rP58884b94dc0b: Simplify construction and execution of Differential queries for "responsible"…
Restricted Revision / rP90123dd7392f: Add DifferentialDiffQuery and change most callsites
Restricted Revision / rP328aa383e460: Always provide a viewer when executing DifferentialRevisionQuery
Restricted Revision / rPb28ceafa382d: Update Differential diff view
Restricted Revision / rPab2ed06c384c: Remove DifferentialRevisionListData
Restricted Revision / rPf82e4b0c70a0: Modernize most Conduit console interfaces
Files
Subscribers
AndHub, omair, kornrunner and 60 others
Projects
Time Spent
brucezhang.q98 w
hwinkel2 m
Tokens
"Love" token, awarded by allan.laal."Mountain of Wealth" token, awarded by tristan."Doubloon" token, awarded by mister_zombie."Like" token, awarded by hwinkel."Like" token, awarded by ttr."Love" token, awarded by chad."Love" token, awarded by andytruong."Love" token, awarded by sascha-egerer.
Description

As an admin, I should be able to group users into groups and limit groups to certain repositories in Diffusion, certain projects in Maniphest and Differential, and certain pages in Phriction.

epriestley edited this Task.Via LegacyOct 4 2013, 10:53 PM
epriestley added a subscriber: FacebookPOC.Via WebOct 4 2013, 11:05 PM

Oh I never added Facebook to this.

Facebook: HEAD has an implementation of (approximately) per-object-privacy. If you don't touch anything, nothing should really change, except that there will be more policy controls in the UI. Herald rules have changed slightly: by default, only administrators can create Global rules now, because they punch through access controls. You can configure this back to "all users" in the "Applications" application if you want to keep the old policy.

Everyone else: here's a screenshot of the advanced policy construction interface in D7217 if you have any feedback. This will be an optional advanced mode which supplements the current policy control -- the UI will still provide easy access to common policies like "All Users".

hoverruan removed a subscriber: hoverruan.Via WebOct 4 2013, 11:22 PM
epriestley edited this Task.Via LegacyOct 5 2013, 7:56 PM
tmaroschik removed a subscriber: tmaroschik.Via WebOct 6 2013, 3:08 PM
epriestley edited this Task.Via LegacyOct 6 2013, 5:42 PM
epriestley edited this Task.Via LegacyOct 6 2013, 10:21 PM
epriestley edited this Task.Via LegacyOct 6 2013, 10:30 PM
epriestley edited this Task.Via LegacyOct 6 2013, 10:48 PM
epriestley edited this Task.Via LegacyOct 6 2013, 11:30 PM
epriestley edited this Task.Via LegacyOct 7 2013, 12:07 AM
epriestley edited this Task.
epriestley edited this Task.
epriestley edited this Task.
epriestley edited this Task.Via LegacyOct 7 2013, 12:10 AM
epriestley edited this Task.Via LegacyOct 7 2013, 1:02 PM
mathieuk removed a subscriber: mathieuk.Via WebOct 7 2013, 1:28 PM
epriestley edited this Task.Via LegacyOct 7 2013, 4:25 PM
epriestley edited this Task.Via LegacyOct 7 2013, 5:41 PM
epriestley edited this Task.Via LegacyOct 7 2013, 7:51 PM
epriestley edited this Task.
epriestley edited this Task.Via LegacyOct 7 2013, 8:29 PM
epriestley edited this Task.Via LegacyOct 8 2013, 12:57 AM
epriestley edited this Task.Via LegacyOct 8 2013, 1:00 AM
epriestley edited this Task.Via LegacyOct 8 2013, 1:24 AM
krz removed a subscriber: krz.Via WebOct 8 2013, 6:49 AM
epriestley edited this Task.Via LegacyOct 8 2013, 1:33 PM
epriestley edited this Task.Via LegacyOct 8 2013, 1:38 PM
epriestley edited this Task.Via LegacyOct 8 2013, 2:04 PM
epriestley edited this Task.Via LegacyOct 9 2013, 8:45 PM
epriestley edited this Task.Via LegacyOct 9 2013, 8:47 PM
epriestley edited this Task.Via LegacyOct 9 2013, 8:52 PM
epriestley edited this Task.
epriestley edited this Task.Via LegacyOct 9 2013, 8:56 PM
epriestley edited this Task.Via LegacyOct 9 2013, 8:58 PM
epriestley edited this Task.Via LegacyOct 9 2013, 9:05 PM
epriestley edited this Task.Via LegacyOct 9 2013, 10:00 PM
epriestley edited this Task.Via LegacyOct 9 2013, 10:06 PM
epriestley edited this Task.Via LegacyOct 9 2013, 11:21 PM
epriestley edited this Task.Via LegacyOct 9 2013, 11:24 PM
epriestley edited this Task.Via LegacyOct 10 2013, 8:40 PM
epriestley edited this Task.Via LegacyOct 10 2013, 11:10 PM
epriestley edited this Task.Via LegacyOct 11 2013, 2:22 AM
epriestley edited this Task.Via LegacyOct 11 2013, 3:36 PM
epriestley edited this Task.Via LegacyOct 13 2013, 12:08 AM
epriestley edited this Task.
brent added a subscriber: brent.Via WebOct 13 2013, 12:33 AM
epriestley edited this Task.Via LegacyOct 13 2013, 1:21 AM
epriestley edited this Task.Via LegacyOct 14 2013, 12:32 AM
epriestley edited this Task.Via LegacyOct 14 2013, 12:39 AM
epriestley edited this Task.Via LegacyOct 14 2013, 12:42 AM
epriestley edited this Task.Via LegacyOct 14 2013, 12:47 AM
epriestley edited this Task.Via LegacyOct 14 2013, 12:49 AM
epriestley edited this Task.Via LegacyOct 14 2013, 4:11 PM
epriestley edited this Task.Via LegacyOct 14 2013, 6:41 PM
epriestley edited this Task.Via LegacyOct 14 2013, 6:46 PM
epriestley edited this Task.
epriestley edited this Task.Via LegacyOct 14 2013, 7:05 PM
epriestley edited this Task.
epriestley edited this Task.Via LegacyOct 14 2013, 7:07 PM
epriestley edited this Task.
epriestley edited this Task.Via LegacyOct 14 2013, 7:58 PM
epriestley edited this Task.Via LegacyOct 14 2013, 8:04 PM
epriestley edited this Task.Via LegacyOct 14 2013, 9:18 PM
epriestley edited this Task.Via LegacyOct 14 2013, 9:36 PM
epriestley edited this Task.
epriestley edited this Task.Via LegacyOct 14 2013, 11:10 PM
darren.blum removed a subscriber: darren.blum.Via WebOct 14 2013, 11:42 PM
epriestley edited this Task.Via LegacyOct 14 2013, 11:49 PM
epriestley edited this Task.Via LegacyOct 14 2013, 11:59 PM
epriestley edited this Task.Via LegacyOct 15 2013, 12:30 AM
epriestley edited this Task.Via LegacyOct 15 2013, 12:45 AM
epriestley edited this Task.Via LegacyOct 15 2013, 1:21 AM
epriestley edited this Task.Via LegacyOct 15 2013, 11:32 AM
epriestley edited this Task.Via LegacyOct 15 2013, 11:51 AM
epriestley edited this Task.Via LegacyOct 16 2013, 5:36 PM
epriestley edited this Task.
epriestley edited this Task.
epriestley edited this Task.Via LegacyOct 17 2013, 1:50 AM
epriestley edited this Task.Via LegacyOct 17 2013, 5:50 PM
epriestley edited this Task.Via LegacyOct 17 2013, 7:47 PM
epriestley edited this Task.Via LegacyOct 17 2013, 7:52 PM
epriestley edited this Task.Via LegacyOct 17 2013, 7:57 PM
epriestley edited this Task.Via LegacyOct 17 2013, 8:00 PM
epriestley closed this task as "Resolved".Via WebOct 17 2013, 8:32 PM

I'm going to close this task, since it has served its purpose and we have basically-usable policies almost-everywhere now.

Policies are newly implemented, and are obviously not mature. There are likely to be some remaining bugs, rough edges, etc. However, by all appearances they work correctly and are reasonably usable. You should be cautious about using them to protect nuclear launch codes from hostile nations, but they should be fine for hiding information from your enemies at your company, and for opening up applications on open source installs.

The policy implementation today consists of flexible infrastructure, a basically reasonable UI on top of it, and some application-level defaults and settings (accessible in the "Applications" application). We expect to refine all of these things in time, but mostly in response to feedback. If you begin using these features, let us know what works, what doesn't work, what's confusing, what you wish were easier, etc.

Some particular notes:

  • Open-Source Installs
    • There's no logged-out version of the home page yet. Do you want one? What should it look like or do?
    • There may be performance issues with some queries if you have a large amount of private data and a small amount of public data. Let us know if you run into these.
    • There's no script to retroactively open up access. You can generally update the viewPolicy column of an object type in the DB, or we can build tools for this.
  • Installs with Clients or Project-Level Policy Implications
    • We suspect the current implementation is very labor-intensive for the use case of having several clients, each of whom you only want to see their own stuff. Is this true? Some discussion in T3820.
    • Broadly, the implementation is easier to use with policies that are default-open, selective-deny than default-deny, selective-open. We think this is the more common use case, but maybe not?
  • Tooling
    • There isn't much support tooling yet. What do you need?
    • The bin/policy tool does exist, and will let you unlock objects which you accidentally lock yourself out of. (We'll make it harder to lock yourself out of things, too -- it's fairly easy in a few interfaces now.)
  • Custom Policies
    • The custom policy UI provides "user", "project", "admin", and "lunar phase" rules. What additional rules do you need? "Time of day"? "LDAP group"?
    • These rules are relatively pluggable. Are you interested in writing custom rules?
    • Do you even end up using custom policies? Could we have gotten away without building them?
  • Defaults
    • We provide global defaults in most applications now. Do we need more fine-grained defaults (per-user, per-project...)?
    • There's no way to save or bookmark specific custom policies. Is this important?
    • Some object types have implicit rules, e.g. the author of a paste can always view and edit it. Are there other rules we should have? Do current rules make sense?
  • Clarity
    • A particular goal of this implementation is to make it clear how policies operate. Did we succeed? When you can't see an object, is it clear why you can't see it? Are policy rules intuitive?
    • Is it easy to set the policies you want to set?
  • Incomplete Applications and Policies
    • Not all applications have full policy support yet, usually because it's blocked by something or they're beta. Which remaining apps do you want support for?
    • Capabilities are relatively coarse right now, and mostly fall into "edit" and "view". Do you need more fine-grained capabilities (like "comment" as distinct from "view")?
  • Documentation
    • If you're lost, yell at me and I can write some sooner rather than later.
    • Or if you'd just find this interesting or whatever.
  • General
    • We believe policies are broadly at a level where they're usable, make sense, and are consistently enforced everywhere. If you see anything suspicious or confusing or which seems obviously broken or doesn't make sense, let us know. From here on out, they're expected to work in a generally reasonable way.

If you have feedback on any of this, file a new task and we'll merge things together into some smaller piles and move them forward separately with less than 100 people on the CC list. I'd guess that most of these topics are not interesting to most installs.

hwinkel added a comment.Via WebNov 30 2013, 10:34 PM

should this nice description an question find a way into the docs?

hwinkel added a comment.Via WebNov 30 2013, 10:38 PM

Just configured a new clean phab instance, is there a way to set a default behavior? How can I lock out all people by default and give them access only if they belong to a project."Installs with Clients or Project-Level Policy Implications" its really labor intensive. Can we have a config option or install question which controls the general behavior and default permissions?

asherkin added a comment.Via WebNov 30 2013, 10:44 PM

Most default policies are configured in the Applications app, only a few have them right now - what do you need that is missing?.

As @epriestley mentioned, that is currently the weakest state for the policy infrastructure right now, but will probably need to wait for T390 to get any real work.

maemarcus added a subscriber: maemarcus.Via WebDec 4 2013, 6:57 AM
allan.laal added a subscriber: allan.laal.Via WebFeb 6 2014, 2:10 PM
btrahan closed blocking task Restricted Task as "Resolved".Via DaemonsJul 10 2014, 10:41 PM
kravitz added a subscriber: kravitz.Via WebSep 24 2014, 4:34 AM
kornrunner added a subscriber: kornrunner.Via WebOct 8 2014, 1:30 PM
shochdoerfer removed a subscriber: shochdoerfer.Via WebOct 8 2014, 2:22 PM
dmorissette added a subscriber: dmorissette.Via WebOct 15 2014, 1:33 PM

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.