A proof-of-concept implementation of an ACL system is available in lp:~bjornt/launchpad/privacy-spike. We're going to use that to implement ACLs for bugs. The reason we're doing this is to get something landed, so that we can test things using real data and use cases.
The first phase will consist of replacing the BugSubscription table with the BugTaskACL table when doing permission checking. This change won't be visible to the users, everything is done under the hood, keeping the existing UI and functionality. It will still be required to get subscribed to a private bug in order to see it.
These are the list of tasks that need to happen. Each task should be possible to implement and land in its own branch. They don't necessarily need to happen in the order below, but some tasks do depend on other tasks.
Add the BugTaskACL table - get the db patch and model class landed.
Add the IACL interface and adapter, etc. - add the general ACL infrastructure that is needed, like the IACL interface and base adapter, the ACLObjectType enum, __acl_class__ attribute, etc.
Populate BugTaskACL table and keep it up-to-date when subscribing/unsubcribing, and changing privacy, the ACLs for the bugtasks should be updated to reflect the subscriber list if the bug is private, or to be the public ACL if it's public. We will have to update the ACLs for all the bug tasks, since the subscription is per bug, not per bug task.
Use the BugTaskACL table instead of the BugSubscription table - to check whether the user has access to view the bug. Before doing this, testing should be performed on staging, to ensure that we don't have a performance regression.
Add BugTask.private and write a trigger to keep it up-to-date - to keep queries for public bugs fast, we need to have an attribute on the bugtask to indicate whether it's public or private (public is the common case and should be fast). We don't need to use the attribute yet, since we already check Bug.private.
Use BugTask.private instead of Bug.private in permission queries - we want security to be on the bugtask level, not on the bug level. We should update all places where we use Bug.private to use BugTask.private wehre possible. It might not be possible to update it everywhere, until we have the UI specification ready. For this reason, it might makes sense to not do any work at all on this task, before the UI is defined.