Page MenuHomePhabricator
Create Task
Maniphest T110327

Add user rights for Newsletter extension
Closed, ResolvedPublic
Actions

Description

It looks like we are currently allowing any logged in user to create and manage newsletters. Perhaps a new right ('manage-newsletter'?) should be used instead of allowing anyone to make changes. Special:Newsletters should be available to all users (without subscription for IPs).

Details

ProjectBranchLines +/-Subject
mediawiki/extensions/Newslettermaster+217 -40Add manage form to Special:Newsletter
mediawiki/extensions/Newslettermaster+24 -10Add 'newsletter-delete' right
mediawiki/extensions/Newslettermaster+10 -2Add newsletter-create right
mediawiki/extensions/Newslettermaster+67 -39Allow users with 'newsletter-manage' right to add/remove publishers
Customize query in gerrit

Related Objects
Search...

Event Timeline

Glaisher created this task.Aug 26 2015, 12:21 PM
Glaisher raised the priority of this task from to Needs Triage.
Glaisher updated the task description. (Show Details)
Glaisher added a project: MediaWiki-extensions-Newsletter.
Glaisher added a subscriber: Glaisher.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 26 2015, 12:21 PM
Qgil triaged this task as Low priority.Aug 26 2015, 2:19 PM
Qgil added a subscriber: Qgil.

The possibility to create newsletters for all registered users was a conscious decision taken in the context of T100125.

Today even anonymous users can create a newsletter (create the wiki pages that make a newsletter). We went for registered users becauses it sounded sensible to restrict it a bit.

In our discussions we took into account the fact that a newsletter creator has a possibility to spam users limited by the success of their newsletter at getting subscribers. A newsletter created in a whim with lorem ipsum content is still a problem that we need to resolve, but no sane users will subscribe to that newsletter.

In order to publish a new issue (and therefore have a chance to spam subscribers) the user needs to have an email address confirmed. I just learned that unconfirmed users can create newsletters. For consistency, it would make sense to ask newsletter owners to be confirmed as well.

Glaisher added a comment.Aug 26 2015, 4:45 PM
In T110327#1575366, @Qgil wrote:

[...] For consistency, it would make sense to ask newsletter owners to be confirmed as well.

Agreed. We should also prevent blocked users from creating and announcing new issues (It doesn't look like that it's currently restricted for blocked users).

Glaisher added a comment.Aug 27 2015, 12:19 PM

https://gerrit.wikimedia.org/r/#/c/234259/ will prevent blocked users from creating newsletters.

Glaisher mentioned this in rMEXTe0b086cfd8b4: Updated mediawiki/extensions Project: mediawiki/extensions/Newsletter….Aug 27 2015, 2:56 PM
Addshore mentioned this in rENLT3f7704a025c0: Make SpecialNewsletterCreate extend FormSpecialPage.Aug 27 2015, 2:56 PM
Qgil moved this task from Backlog to Technical review on the MediaWiki-extensions-Newsletter board.Aug 28 2015, 11:51 AM
Liuxinyu970226 set Security to None.Oct 19 2015, 11:05 AM
Glaisher added a parent task: T110642: Implement all the features required for running the Newsletter extension in Wikimedia.Oct 23 2015, 11:33 AM
Tinaj1234 added a subscriber: Tinaj1234.Nov 12 2015, 7:39 AM

Once T117043 is merged, only those newsletters which can be managed by the logged in user will be listed. So only if you are a publisher do you get a list of newsletters in Special: NewsletterManage, nullifying the need of 'manage-newsletter' right ?

Qgil moved this task from Technical review to Needs discussion on the MediaWiki-extensions-Newsletter board.Nov 12 2015, 11:49 AM
Glaisher added a comment.Nov 12 2015, 11:53 AM

This is what I've in mind regarding user rights for the extension.

  • All publishers and users with newsletter-delete right can delete newsletters. newsletter-delete right is given to administrators by default and allows to delete newsletters even if they are not a publisher. This is useful for example if a vandal creates a newsletter and if only publishers are allowed to delete, sysops will have to become publishers before deleting and that would be a hassle on mass attacks and all.
  • Users with newsletter-create right can create new newsletters and is given to autoconfirmed users by default. This is to allow specific wikis to configure their rights on a more granular level.
  • All publishers and users with newsletter-manage right can edit details about the newsletters and add/remove publishers. This right is given to administrators by default.

The rights are given to sysops to allow them to be "global managers" but they will need to be a publisher for specific newsletters to announce new issues.

QuimGil moved this task from Needs discussion to Feature complete on the MediaWiki-extensions-Newsletter board.Nov 12 2015, 11:55 AM
Qgil raised the priority of this task from Low to Medium.Nov 12 2015, 12:11 PM
Glaisher added a subtask: T114145: Allow publishers to remove themselves.Nov 12 2015, 5:16 PM
gerritbot added a subscriber: gerritbot.Nov 12 2015, 5:52 PM

Change 252724 had a related patch set uploaded (by Glaisher):
Allow users with 'newsletter-manage' right to add/remove publishers

https://gerrit.wikimedia.org/r/252724

gerritbot added a project: Patch-For-Review.Nov 12 2015, 5:52 PM
gerritbot added a comment.Nov 13 2015, 11:43 AM

Change 252913 had a related patch set uploaded (by Glaisher):
Add newsletter-create right

https://gerrit.wikimedia.org/r/252913

gerritbot added a comment.Nov 13 2015, 12:00 PM

Change 252918 had a related patch set uploaded (by Glaisher):
Add 'newsletter-delete' right

https://gerrit.wikimedia.org/r/252918

gerritbot added a comment.Nov 16 2015, 3:17 PM

Change 252724 merged by jenkins-bot:
Allow users with 'newsletter-manage' right to add/remove publishers

https://gerrit.wikimedia.org/r/252724

gerritbot added a comment.Nov 16 2015, 3:18 PM

Change 252913 merged by jenkins-bot:
Add newsletter-create right

https://gerrit.wikimedia.org/r/252913

gerritbot added a comment.Nov 16 2015, 3:19 PM

Change 252918 merged by jenkins-bot:
Add 'newsletter-delete' right

https://gerrit.wikimedia.org/r/252918

Glaisher closed subtask T114145: Allow publishers to remove themselves as Resolved.Nov 16 2015, 4:48 PM
Tinaj1234 assigned this task to Glaisher.Nov 19 2015, 11:53 AM
01tonythomas added a subscriber: 01tonythomas.Dec 30 2015, 4:22 PM

@Glaisher : anythng more to be done with the user rights in this task ?

Glaisher added a comment.Dec 30 2015, 4:26 PM
In T110327#1910036, @01tonythomas wrote:

@Glaisher : anythng more to be done with the user rights in this task ?

Yes. Special:ManageNewsletter doesn't work correctly with the permissions. I'll be fixing that along with last part of T107555 merging that page with Special:Newsletter. I wrote some of the code for it a few weeks ago but it's not complete yet and I haven't been able to work on it lately. Hopefully will be working on it soon(TM).

Glaisher mentioned this in T122691: OOUI HTMLForms doesn't show errors for forms with multiple sections.Dec 31 2015, 6:32 AM
Glaisher added a comment.Dec 31 2015, 6:34 AM
In T110327#1910039, @Glaisher wrote:

Yes. Special:ManageNewsletter doesn't work correctly with the permissions. I'll be fixing that along with last part of T107555 merging that page with Special:Newsletter. I wrote some of the code for it a few weeks ago but it's not complete yet and I haven't been able to work on it lately. Hopefully will be working on it soon(TM).

OOUI HTMLForm doesn't fully support forms with multiple sections so I think we might have to have an awful hack to get this done if we want to do it quickly. How HTMLForm creates forms with multiple sections is also awful so fixing the root issue also doesn't seem to be that easy. See T122691.

gerritbot added a comment.Feb 11 2016, 4:48 PM

Change 269999 had a related patch set uploaded (by Glaisher):
Add manage form to Special:Newsletter

https://gerrit.wikimedia.org/r/269999

Glaisher added a comment.Feb 11 2016, 4:49 PM

Instead of above, I decided to have a basic form (which is not very user friendly) with PHP and then use JavaScript to make it nicer and more user-friendly.

gerritbot added a comment.Feb 15 2016, 5:46 AM

Change 269999 merged by jenkins-bot:
Add manage form to Special:Newsletter

https://gerrit.wikimedia.org/r/269999

Glaisher closed this task as Resolved.Feb 15 2016, 5:42 PM
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL