Sorry, I'm just now getting time to look at this.
If I'm reading this right, we can no longer do this, can we?
Their new model is that we can hide the forms, but not actually prevent people from modifying the fields...?
EDIT: Here's their official post: https://secure.phabricator.com/T10003
These policies are being removed because:
- all use cases we are aware of are about workflow tailoring, not actual access control, and form customization is a better (more general, more powerful) tool to achieve workflow goals.
Are we an edge case then?