Under `/applications/view/PhabricatorManiphestApplication/` there currently is only `Can Edit Task Status` which can be set to `All Users` or `Administrators`.
Neither choice is a good one. Setting it to `Administrators` means, that normal, non-administrator users cannot create new tasks (such as bug reports or feature requests). In our project installation we want normal, non-administrator to be able to create new tasks. Our only option at the moment is to set it to `All Users`. But this is also not really what we want. Having a user modify its own ticket is okay. But having arbitrary normal, non-administrator users being able to modify each and every task is a security issue.
A good policy for `Can Edit Task Status` would be `Ticket Creator and Administrators`.
Alternatively, other bug trackers such as `trac` allow normal, non-administrator users to create tickets, but not to modify any. Seems even better to me. Configuring as such is currently not possible with maniphest.
Talked about this yesterday with @epriestly on IRC. So if my report is unclear, he can hopefully clarify it.