Page MenuHomePhabricator

Default Edit Policy for Differential
Closed, WontfixPublic

Description

It looks like the default editor policy for Differential revisions is to make them editable by all users. I'd like to change that so that new revisions are only editable by the revision's author, to prevent people from accidentally updating revisions that aren't theirs.

When I configure Differential from Applications, however, the only policies I can change are

  • Can Use Application
  • Can Configure Application
  • Default View Policy

If possible, I'd be nice to also have a Default Edit Policy that could be set to "Revision Author", like the Default Edit Policy for Maniphest.

Event Timeline

edibiase updated the task description. (Show Details)
edibiase added a project: Differential.
edibiase added a subscriber: edibiase.

accidentally updating revisions that aren't theirs

Are these updates legitimately accidental? Can you explain how users are accidentally making updates to others' revisions? I don't think we've seen this behavior on this install, or heard about it from other installs.

If the UI is sufficiently unclear that users are making mistakes with it, I'd like to fix the UI first.

(The underlying request is also a reasonable one, but I wouldn't consider it the best solution to accidental updates: the UI should prevent accidental updates primarily by being clear, consistent, and usable, not through technical barriers.)

Are these updates legitimately accidental? Can you explain how users are accidentally making updates to others' revisions? I don't think we've seen this behavior on this install, or heard about it from other installs.

As far as I know, nobody's actually done this on our install, so I was premature in filing this task. I apologize for that; I'll be more vigilant in the future about not filing tasks about hypothetical problems.

(For what it's worth, the totally hypothetical UI concern behind this request is that running arc diff --update with an accidentally incorrect revision ID would be less likely to succeed if revisions were only editable by their author.)

So, given all of that, if you'd like to close this out as Wontfix, that's fine by me. If this ever occurs for real I'd be happy to re-file with more information about what caused the mistake to occur.

epriestley claimed this task.

running arc diff --update with an accidentally incorrect revision ID would be less likely to succeed if revisions were only editable by their author

It already has a 0% chance of succeeding:

$ arc diff --update 4
Usage Exception: You don't own revision D4 'asdb'. You can only update revisions you own. You can 'Commandeer' this revision from the web interface if you want to become the owner.

Yeah, re-file if this ever comes to pass as a real problem rather than a purely hypothetical one.

Excellent; that's good to know. Thanks!

We just edited this ticket's information to test if we could indeed edit someone else's diff (don't worry - we changed it back).

To be good open-source citizens, we'd like to be able to have all our diffs be readable by the public, but allowing non-core contributors to edit a diff feels like it's inviting abuse, especially if Phabricator is used by a high-visibility open source project.