Maniphest Task cards view policy to member of project only


#1

In my project settings, currently, the field visible to: Project members only.

I noticed a user is capable of searching all tasks in all projects including the one they did not subscribe/join and view them all.
Anyway to prevent users who does not join to not be able to view other project task cards?

  1. Currently, when I create a card, the subscriber field always include the author task name. Is there anyway I can include the “current project” name AND also the author task in the “Subscriber” field?

  2. By doing number #1, i probably can set the task card “Visible To” : Subscribers.


#2

First, projects do not effect policies in the way you think: https://secure.phabricator.com/book/phabricator/article/projects/#understanding-policies

More pointedly, Tasks are not “In” a project, but are “Tagged With” a project.

About creating default values for tasks:

  • There’s the Custom Forms option
  • There’s Prefilling (template)
  • There’s Default Visibility For New Tasks (Applications -> configure Meniphest)

but non of these is actually good for you.

There are several ways this could be achieved:

  1. Set default view policy to Subscribers, and then use Herald to automatically add the Project to Subscribers if the tasks is tagged with it. You can do this yourself without writing code.
  2. Add a custom policy of “Members of Projects This Task is Tagged with”, and use that as default policy. This requires code, but it might be considered for the upstream.
  3. Add a feature for Boards where the Create Task button is using a specified custom form/prefilling, and configure that. This requires code, but it might make sense for the upstream. Also this is harder to implement on your end than option 2.
  4. Set default visibility to “Author Only”, and train users to fix it. You can do this yourself, but it require training users.
  5. Use Spaces to block visibility very much. You don’t need to write code for this, but it requires training users and might not be what you want after all.

I can see the merit of option 2 and 3 for the upstream, but there might be some downsides I’m not currently seeing (Making the product more complicated is one downside).


#3

avivey, thank you for the prompt response.
Yes, i am looking at option 2 / 3 as well, and they do seems like a better longer term solution.
I think i will go with option 2. Question now is, what code is this that is required? like editing the php code?
Is it possible that you can guide me, if that’s the case ?


#4

Good luck!