Page MenuHomePhorge

Set up initial policies
Closed, ResolvedPublic

Description

If this install is going to be public, we'll want to hide dangerous things (custom policies, bulk editing, etc.) for new users to avoid chaos from vandalism. A Wikimedia-style self-growing group is probably fine for most things, we might need to use separate policies for control push access to the main repositories or for security issue access.

Event Timeline

Matthew added a subscriber: Matthew.

I can take care of the initial setup for this issue.

Here's my thoughts right now:
Trusted Contributors - This would be the self-growing trusted group. Bulk editing, custom policies, etc.
Blessed Committers - This would be the group with permission to land changes to the repository after code review.
Security Viewers - "Access list for security" - Users in this group can view security issues.

Any others?

I think that's good to get us going. Who would be able to manage membership of the blessed_commiters / security groups? Admins?

EDIT: Will you take care of hiding dangerous actions from non-trusted too?

In T15001#23, @taavi wrote:

I think that's good to get us going. Who would be able to manage membership of the blessed_commiters / security groups? Admins?

I think so, at least initially.

EDIT: Will you take care of hiding dangerous actions from non-trusted too?

Sure.

Okay, I have set up the projects, spaces, forms, and other policies with one exception: I can't remember how to restrict arc land, so I'm going to take care of that in a bit.

In T15001#26, @Matthew wrote:

Okay, I have set up the projects, spaces, forms, and other policies with one exception:

At least in Maniphest all users seem to still be able to mess with custom policies.

I can't remember how to restrict arc land, so I'm going to take care of that in a bit.

I think that is https://secure.phorge.it/diffusion/PHORGE/manage/policies/

In T15001#27, @taavi wrote:
In T15001#26, @Matthew wrote:

Okay, I have set up the projects, spaces, forms, and other policies with one exception:

At least in Maniphest all users seem to still be able to mess with custom policies.

I will made the adjustment to the forms, I'd think we want a simple create for anyone new anyway

I can't remember how to restrict arc land, so I'm going to take care of that in a bit.

I think that is https://secure.phorge.it/diffusion/PHORGE/manage/policies/

Done.

Okay, this is done. My solution is four Maniphest forms:

  • Create Task - This is the simple create form for tasks. it defaults to "needs triage," doesn't provide a chance to assign the task to someone, and hides the policies of a task.
  • Create Task (Advanced) - This is the full create task form. It is restricted to Trusted Contributors
  • Create Security Task - This is a create form visible to everyone. It automatically puts the task in S2, assigns the #security project, and creates a custom policy on the task.
  • Edit Task - This is the same form as Create Task (Advanced), but it is set as the edit form due to the permission restrictions on that form.

Thanks. We might want to add Trusted Contributors create/edit policies on projects too, but otherwise I think that should be everything to get us started.

Matthew edited projects, added Phorge Upstream; removed Phorge.

Done!

One final change I will make, I've created a Phorge Upstream project, so that way the Phorge project can be about the software.

I was initially planning to use Phorge for upstream maintenance and project governance and using individual projects for apps (Maniphest, for example). If Phorge is about the software, where are you planning to put project governance?

Could just do like Phorge UpstreamGovernance, PhorgeManiphest, etc. with subprojects to have a kind of clean-ish separation between "application" stuff and "administrative" stuff?

In T15001#38, @chris wrote:

Could just do like Phorge UpstreamGovernance, PhorgeManiphest, etc. with subprojects to have a kind of clean-ish separation between "application" stuff and "administrative" stuff?

I really like that use of sub projects. I’ll go ahead and create a task for discussion and implementation.

Matthew changed the visibility from "All Users" to "Public (No Login Required)".Jun 11 2021, 23:53

Just a note that Trusted Contributors can’t self grow beyond admins adding people currently as to add members you need to be able to edit the project. Currently only admins can edit the project.

Just a note that Trusted Contributors can’t self grow beyond admins adding people currently as to add members you need to be able to edit the project. Currently only admins can edit the project.

IMO the edit policy should be set to Project Members. This way it’ll be able to self grow. :)

Just a note that Trusted Contributors can’t self grow beyond admins adding people currently as to add members you need to be able to edit the project. Currently only admins can edit the project.

IMO the edit policy should be set to Project Members. This way it’ll be able to self grow. :)

Done