Page MenuHome

User permissions for editing differentials
Confirmed, NormalPublicTO DO

Description

Currently users have very broad permissions for editing differentials, while we heavily restrict the editing abilities for tickets. This was causing a recent incident on the bug tracker were a user edited titles of other people's differentials to draw attention to this problem.

On tickets we are being very restrictive, regular users are not allowed to change anything besides:

  • Status
  • Assign / Claim

On differentials they are allowed to modify everything. They can change:

  • Title
  • Summary
  • Reviewers
  • Repository
  • Policy
  • Visibility
  • Commandeer Revision (essentially take ownership)
  • Update the diff

While we want to be as open as possible so that every member of the community can participate in the development, some of these permissions should likely not be given to a regular user.

Event Timeline

Robert Guetzkow (rjg) changed the task status from Needs Triage to Confirmed.Dec 14 2020, 11:31 AM
Robert Guetzkow (rjg) created this task.

Note, Moderators should still be able to modify these properties.

This is a limitation in Phabricator, there is no distinction between being able to submit a new diff and editing an existing one.

We could implement some permissions for this ourselves, though I'm not convinced it's actually worth the time.