Page MenuHomePhabricator

Add user rights for Newsletter extension
Closed, ResolvedPublic

Description

It looks like we are currently allowing any logged in user to create and manage newsletters. Perhaps a new right ('manage-newsletter'?) should be used instead of allowing anyone to make changes. Special:Newsletters should be available to all users (without subscription for IPs).

Details

Related Gerrit Patches:
mediawiki/extensions/Newsletter : masterAdd manage form to Special:Newsletter
mediawiki/extensions/Newsletter : masterAdd 'newsletter-delete' right
mediawiki/extensions/Newsletter : masterAdd newsletter-create right
mediawiki/extensions/Newsletter : masterAllow users with 'newsletter-manage' right to add/remove publishers

Event Timeline

Glaisher raised the priority of this task from to Needs Triage.
Glaisher updated the task description. (Show Details)
Glaisher added a subscriber: Glaisher.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 26 2015, 12:21 PM
Qgil triaged this task as Low priority.Aug 26 2015, 2:19 PM
Qgil added a subscriber: Qgil.

The possibility to create newsletters for all registered users was a conscious decision taken in the context of T100125.

Today even anonymous users can create a newsletter (create the wiki pages that make a newsletter). We went for registered users becauses it sounded sensible to restrict it a bit.

In our discussions we took into account the fact that a newsletter creator has a possibility to spam users limited by the success of their newsletter at getting subscribers. A newsletter created in a whim with lorem ipsum content is still a problem that we need to resolve, but no sane users will subscribe to that newsletter.

In order to publish a new issue (and therefore have a chance to spam subscribers) the user needs to have an email address confirmed. I just learned that unconfirmed users can create newsletters. For consistency, it would make sense to ask newsletter owners to be confirmed as well.

[...] For consistency, it would make sense to ask newsletter owners to be confirmed as well.

Agreed. We should also prevent blocked users from creating and announcing new issues (It doesn't look like that it's currently restricted for blocked users).

https://gerrit.wikimedia.org/r/#/c/234259/ will prevent blocked users from creating newsletters.

Once T117043 is merged, only those newsletters which can be managed by the logged in user will be listed. So only if you are a publisher do you get a list of newsletters in Special: NewsletterManage, nullifying the need of 'manage-newsletter' right ?

This is what I've in mind regarding user rights for the extension.

  • All publishers and users with newsletter-delete right can delete newsletters. newsletter-delete right is given to administrators by default and allows to delete newsletters even if they are not a publisher. This is useful for example if a vandal creates a newsletter and if only publishers are allowed to delete, sysops will have to become publishers before deleting and that would be a hassle on mass attacks and all.
  • Users with newsletter-create right can create new newsletters and is given to autoconfirmed users by default. This is to allow specific wikis to configure their rights on a more granular level.
  • All publishers and users with newsletter-manage right can edit details about the newsletters and add/remove publishers. This right is given to administrators by default.

The rights are given to sysops to allow them to be "global managers" but they will need to be a publisher for specific newsletters to announce new issues.

Qgil raised the priority of this task from Low to Medium.Nov 12 2015, 12:11 PM

Change 252724 had a related patch set uploaded (by Glaisher):
Allow users with 'newsletter-manage' right to add/remove publishers

https://gerrit.wikimedia.org/r/252724

Change 252913 had a related patch set uploaded (by Glaisher):
Add newsletter-create right

https://gerrit.wikimedia.org/r/252913

Change 252918 had a related patch set uploaded (by Glaisher):
Add 'newsletter-delete' right

https://gerrit.wikimedia.org/r/252918

Change 252724 merged by jenkins-bot:
Allow users with 'newsletter-manage' right to add/remove publishers

https://gerrit.wikimedia.org/r/252724

Change 252913 merged by jenkins-bot:
Add newsletter-create right

https://gerrit.wikimedia.org/r/252913

Change 252918 merged by jenkins-bot:
Add 'newsletter-delete' right

https://gerrit.wikimedia.org/r/252918

@Glaisher : anythng more to be done with the user rights in this task ?

@Glaisher : anythng more to be done with the user rights in this task ?

Yes. Special:ManageNewsletter doesn't work correctly with the permissions. I'll be fixing that along with last part of T107555 merging that page with Special:Newsletter. I wrote some of the code for it a few weeks ago but it's not complete yet and I haven't been able to work on it lately. Hopefully will be working on it soon(TM).

Yes. Special:ManageNewsletter doesn't work correctly with the permissions. I'll be fixing that along with last part of T107555 merging that page with Special:Newsletter. I wrote some of the code for it a few weeks ago but it's not complete yet and I haven't been able to work on it lately. Hopefully will be working on it soon(TM).

OOUI HTMLForm doesn't fully support forms with multiple sections so I think we might have to have an awful hack to get this done if we want to do it quickly. How HTMLForm creates forms with multiple sections is also awful so fixing the root issue also doesn't seem to be that easy. See T122691.

Change 269999 had a related patch set uploaded (by Glaisher):
Add manage form to Special:Newsletter

https://gerrit.wikimedia.org/r/269999

Instead of above, I decided to have a basic form (which is not very user friendly) with PHP and then use JavaScript to make it nicer and more user-friendly.

Change 269999 merged by jenkins-bot:
Add manage form to Special:Newsletter

https://gerrit.wikimedia.org/r/269999

Glaisher closed this task as Resolved.Feb 15 2016, 5:42 PM