Page MenuHomePhabricator
Create Task
Maniphest T9019

Create a "Project Members" object policy for Projects
Closed, ResolvedPublic
Actions

Description

Currently we have a "subscribers" object policy but no "members" object policy. Often I want to restrict the editing of a project to the members of that project.

Revisions and Commits

rP Phabricator
AbandonedD14467 Add a "members of project" policy rule
D14869rP1c572d1da51f Implement a "Project Members" object policy rule

Related Objects

Event Timeline

joshuaspence created this task.Jul 30 2015, 1:21 PM
joshuaspence raised the priority of this task from to Needs Triage.
joshuaspence updated the task description. (Show Details)
joshuaspence added a project: Policy.
joshuaspence added a subscriber: joshuaspence.
Herald added a subscriber: eadler. · View Herald TranscriptJul 30 2015, 1:21 PM
chad added a subscriber: chad.Jul 30 2015, 2:06 PM

I don't follow what you're asking for here, what's a subscribers object policy?

epriestley added a subscriber: epriestley.Jul 30 2015, 2:16 PM

The "Subscribers" object policy is PhabricatorSubscriptionsSubscribersPolicyRule, which adds this thing:

Screen Shot 2015-07-30 at 7.15.14 AM.png (315×397 px, 31 KB)

A "Project Members" object policy would be equivalent to selecting "Members of X", but easier to pick out of the list and selectable as a default. It's likely fairly straightforward to implement. I think this is broadly reasonable.

epriestley added a comment.Jul 30 2015, 2:16 PM

A similar policy elsewhere is the Conpherence "Room Participants" object policy:

Screen Shot 2015-07-30 at 7.16.32 AM.png (257×369 px, 27 KB)

epriestley renamed this task from Create a "members" object policy to Create a "Project Members" object policy for Projects.Jul 30 2015, 2:17 PM
epriestley triaged this task as Low priority.
epriestley added a project: Projects.
johnny-bit added a subscriber: johnny-bit.EditedJul 30 2015, 2:20 PM

@chad - that's some object-specific policy... like "subscribers of this project" [is this "watchers" ?]... which to me is weird because I still don't get the distinction between subscribers and members... I mean obviously members are member and subscribers subscribe to changes in project and are not members, but to me subscribers are useless for most projects but members are ;)

So - from my (and possibly @joshuaspence) point of view it would be cool to have another object policy - "members", meaning "members of current project". This would be nice especially for policies like "visible to" and "editable by"... and possibly "joinable by" 😉

It would be even better for other items to have members policy... For example: Differential repos CAN have "project" connected to it. Now it would be freakin' sweet to simply have pre-defined settings for can view/edit/push set to members of associated projects 😄

@epriestley sure types faaast or I'm slow responder... it took me close to 15mins to type above...

chad added a comment.Jul 30 2015, 2:21 PM

haha, never noticed it!

epriestley added a comment.Jul 30 2015, 2:22 PM

They're fairly recent (last couple of months).

chad added a comment.Jul 30 2015, 2:22 PM

I will go find some now.

johnny-bit added a comment.Jul 30 2015, 2:25 PM

@epriestley - can those be set as default policies for objects that can have dynamic policies? For now my default policy is "All Users" and I lock down almost everything to specific projects, but it would be better for me to have project members be deault policy for almost everything.

epriestley added a comment.Jul 30 2015, 2:30 PM

Yes, but "Project Members" is not the same as "Members of associated projects", and I think we are unlikely to implement that in the upstream. You can implement it as an extension if you want that behavior.

johnny-bit added a comment.Jul 30 2015, 2:38 PM

Ou... so "project members" would be rather straightforward, but I guess "members of associated projects" would be NP-hard?

epriestley added a comment.Jul 30 2015, 2:44 PM

It's not difficult to implement.

I think it's difficult to communicate and understand, and is likely to create a lot of user confusion. I don't plan to bring it to the upstream because I believe it will be too hard for users to figure out and create high, ongoing support costs forever.

For example, it means that tagging a task with a categorical project like Badge Awarded opens it up to a lot of users, and this probably isn't obvious. Effectively, you can no longer use projects to categorize objects if they also affect policies. Similarly, tagging a task with a project like Security wouldn't lock it down, and this also probably isn't obvious. Generally, I think projects and policies are often conveying very different information.

Our expectation is that Spaces can solve most of the problems that "Members of associated projects" would otherwise solve.

swisspol added a subscriber: swisspol.Jul 30 2015, 2:50 PM

FWIW we are using projects this way i.e. setting Editable By to the project itself. The reason is two-fold:

  • to prevent non-members to edit the project details
  • to prevent random people from moving stuff in the workboards by mistake

The exception is for projects we use for access control only i.e. grouping people but no tasks, in which case they are editable by admins only.

Seems to work completely fine so far.

johnny-bit added a comment.Jul 30 2015, 2:52 PM

Thank You, this was perfect reasoning. I'll then consider extension route for
"members of associated projects" and I hope I can get it done ;)

wmatusiak added a subscriber: wmatusiak.Jul 31 2015, 2:00 PM
wmatusiak added a comment.Aug 11 2015, 1:06 PM

Hello,

I trying to implement this because we need this on our company installation.
Have almost working code now, but can't get thru one problem.

If i set default project policy view/edit to Members and Join to None can't create projects,
because user can't edit until is a member.
If i move join (TYPE_EDGE) transaction (in PhabricatorProjectEditDetailsController) to first $xactions array element transaction failed with "Can't join"
because no one but members can't join :(

Only solution I found is to explicit attach creator of project as project member before $editor->applyTransaction

if($is_new) {
  $project->atachMemberPHIDs(array($viewer->getPHID()));
}

I don't like this solution, but can't find other.
Any ideas?

I will gladly contribute this implementation.

20after4 awarded a token.Aug 12 2015, 7:02 PM
epriestley mentioned this in T9224: Probably add "Event Host" and "Event Invitees" Object Policies to Calendar Events.Aug 20 2015, 10:10 PM
joshuaspence claimed this task.Aug 24 2015, 10:16 AM
epriestley moved this task from Backlog to Projects v3 on the Projects board.Sep 9 2015, 11:20 PM
epriestley merged a task: T9422: Project object policies should include "Members of this project".Sep 15 2015, 12:07 PM
epriestley added subscribers: cspeckmim, hach-que.
cspeckmim removed a subscriber: cspeckmim.Oct 7 2015, 2:35 AM
joshuaspence added a revision: D14467: Add a "members of project" policy rule.Nov 12 2015, 8:06 AM
epriestley added a revision: D14869: Implement a "Project Members" object policy rule.Dec 24 2015, 11:13 AM
epriestley claimed this task.Dec 24 2015, 2:16 PM
epriestley closed this task as Resolved by committing rP1c572d1da51f: Implement a "Project Members" object policy rule.Dec 24 2015, 4:16 PM
epriestley added a commit: rP1c572d1da51f: Implement a "Project Members" object policy rule.
Phabricator · Built by Phacility