Sometimes it is useful to discuss things privately with a project team and internal participants to an issue. Having a means of making public and private comments is extremely useful in those cases. Example use cases: * When GitLab is used for Service Desk scenarios and Support team members want to discuss details in the context of an issue but don't want to overload the issue reporter with details. * For companies with a public issue tracker, this feature enables team members the ability to discuss and share internal data related to feature development. GitLab is a great example! The comments should have the possibility to be marked as private. If a comment is marked as private, all replies inherit that information. Only project members and issues (merge requests, epics, snippets) participants can see and reply to the comment.  <details> <summary>Original description</summary> ### Problem to solve In a Service Desk situation, it is sometimes desirable to discuss some matter privately within the support team and internal participants to an issue, without creating a separate issue, which is cumbersome because it breaks the flow and timeline of the support issue. Having a means of making public and private comments is extremely useful in those cases. ### Intended users * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) * [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) * Support Engineer > As a software developer, I would like to collaborate with the support team directly on a Service Desk issue, without providing visibility to the end-user. > As a security analyst, I would like to be able to offer security / vulnerability assessments within issues without worry of providing potentially sensitive information to the end-user. > As a support engineer, I need the ability to collaborate on Service Desk issues internally with the above personas to formulate an appropriate response to the end-user. ### Proposal Add a checkbox under the comment box textarea to allow the user to mark the comment as `Private`. For MVC, if a comment is marked `Private`, any and all replies will inherit this setting, with no option to mark it `Public`. Hence, a `Private` thread will always remain `Private`. All comments added via email reply will be considered `Public` as they are now. Designs available [here](https://gitlab.com/gitlab-org/gitlab/issues/2459/designs/private-comment.png) (in the design tab). ### Documentation * Update documentation to describe use of `Public` vs. `Private` comment. * Ensure it is clear who has visibility to `Private` comments (Service Desk users) * Clarify that email responses will be `public` comments. </details> <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> ## :clock: Expected Functionality - Discussion notes can be set as confidential when created (via UI and API). - Scope can be limited to issues, to begin with, and subsequently, be rolled out to other resources (to be determined). - Once a confidential note is created, it can be seen by the author and all authorized users. That is: - Project members with the role of Reporter+. - Non-project-member or Guest that has been assigned to the issue. - A note confidentiality can be updated with the right permissions (to be determined). - If a note is created as confidential, all replies will be set as confidential automatically. In other words, replies don’t have a checkbox to set confidentiality because they will inherit it from the parent note. ## :tools: Implementation Feature flag: `confidential_notes` Rollout issue: https://gitlab.com/gitlab-org/gitlab/-/issues/207474 ### Part I: Add new attribute to Note - [x] https://gitlab.com/gitlab-org/gitlab/-/issues/207468+ ### Part II: Implement permissions - [x] https://gitlab.com/gitlab-org/gitlab/-/issues/207469+ - [x] https://gitlab.com/gitlab-org/gitlab/-/issues/207469+ ### Part III: UI support for issues - [x] https://gitlab.com/gitlab-org/gitlab/-/issues/207476+ - [x] https://gitlab.com/gitlab-org/gitlab/-/issues/207471+ ### Part IV: API support to set confidential attribute when creating notes - [x] https://gitlab.com/gitlab-org/gitlab/-/issues/207473+ - [x] https://gitlab.com/gitlab-org/gitlab/-/issues/207472+ ### Part V: API support to update confidential attribute of existing notes - [x] https://gitlab.com/gitlab-org/gitlab/-/issues/301234+ ### Part VI: Validation + Fixes - [x] https://gitlab.com/gitlab-org/gitlab/-/issues/321778+ - [ ] https://gitlab.com/gitlab-org/gitlab/-/issues/321445+ - [x] https://gitlab.com/gitlab-org/gitlab/-/issues/335511+ - [x] https://gitlab.com/gitlab-org/gitlab/-/issues/326061+ - [x] https://gitlab.com/gitlab-org/gitlab/-/issues/326210+ - [x] https://gitlab.com/gitlab-org/gitlab/-/issues/208662+ ### Part VII: Rollout for issues - [ ] https://gitlab.com/groups/gitlab-org/-/epics/7407+ - [ ] https://gitlab.com/gitlab-org/gitlab/-/issues/207474+ ## :warning: Verification required before rollout - [x] When viewing the issue, if i'm not a member of the project, I should not be able to see confidential comments. - [x] When viewing the activity feed in a users profile, I should not see activity for confidential comments in projects where i am not a member. - [x] When being removed from a project, I can no longer see confidential comments (maybe applicable to public projects only) - [ ] When my group/project share is removed, I can no longer see confidential comments. - [x] When querying the notes for a project that I am not a member of, I should not see confidential comments. - [x] RSS Feed (https://gitlab.com/gitlab-org/gitlab/-/issues/326061) - [x] User, project activity feeds (https://gitlab.com/gitlab-org/gitlab/-/issues/326210) - [x] New comment notifications from Service Desk https://gitlab.com/gitlab-org/gitlab/-/issues/329366 - [ ] ....