It looks like we are currently allowing any logged in user to create and manage newsletters. Perhaps a new right ('manage-newsletter'?) should be used instead of allowing anyone to make changes. Special:Newsletters should be available to all users (without subscription for IPs).
Description
Description
Details
Details
Customize query in gerrit
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Duplicate | Qgil | T125545 Phabricator Q&A session for Community Liaisons | |||
| Resolved | Qgil | T116025 Goal: Align Community Liaison and Developer Relations project management practices | |||
| Resolved | Qgil | T119387 Community Liaison and Developer Relation quarterly goals for January - March 2016 | |||
| Declined | None | T104131 Exporting existing newsletter to the Newsletter extension | |||
| Resolved | Addshore | T110170 Goal: Deploy Newsletter extension in Wikimedia | |||
| Resolved | Qgil | T110642 Implement all the features required for running the Newsletter extension in Wikimedia | |||
| Resolved | Glaisher | T110327 Add user rights for Newsletter extension | |||
| Resolved | Glaisher | T114145 Allow publishers to remove themselves |
Event Timeline
Comment Actions
The possibility to create newsletters for all registered users was a conscious decision taken in the context of T100125.
Today even anonymous users can create a newsletter (create the wiki pages that make a newsletter). We went for registered users becauses it sounded sensible to restrict it a bit.
In our discussions we took into account the fact that a newsletter creator has a possibility to spam users limited by the success of their newsletter at getting subscribers. A newsletter created in a whim with lorem ipsum content is still a problem that we need to resolve, but no sane users will subscribe to that newsletter.
In order to publish a new issue (and therefore have a chance to spam subscribers) the user needs to have an email address confirmed. I just learned that unconfirmed users can create newsletters. For consistency, it would make sense to ask newsletter owners to be confirmed as well.
Comment Actions
Agreed. We should also prevent blocked users from creating and announcing new issues (It doesn't look like that it's currently restricted for blocked users).
Comment Actions
https://gerrit.wikimedia.org/r/#/c/234259/ will prevent blocked users from creating newsletters.
Comment Actions
Once T117043 is merged, only those newsletters which can be managed by the logged in user will be listed. So only if you are a publisher do you get a list of newsletters in Special: NewsletterManage, nullifying the need of 'manage-newsletter' right ?
Comment Actions
This is what I've in mind regarding user rights for the extension.
- All publishers and users with newsletter-delete right can delete newsletters. newsletter-delete right is given to administrators by default and allows to delete newsletters even if they are not a publisher. This is useful for example if a vandal creates a newsletter and if only publishers are allowed to delete, sysops will have to become publishers before deleting and that would be a hassle on mass attacks and all.
- Users with newsletter-create right can create new newsletters and is given to autoconfirmed users by default. This is to allow specific wikis to configure their rights on a more granular level.
- All publishers and users with newsletter-manage right can edit details about the newsletters and add/remove publishers. This right is given to administrators by default.
The rights are given to sysops to allow them to be "global managers" but they will need to be a publisher for specific newsletters to announce new issues.
Comment Actions
Change 252724 had a related patch set uploaded (by Glaisher):
Allow users with 'newsletter-manage' right to add/remove publishers
Comment Actions
Change 252913 had a related patch set uploaded (by Glaisher):
Add newsletter-create right
Comment Actions
Change 252918 had a related patch set uploaded (by Glaisher):
Add 'newsletter-delete' right
Comment Actions
Change 252724 merged by jenkins-bot:
Allow users with 'newsletter-manage' right to add/remove publishers
Comment Actions
Yes. Special:ManageNewsletter doesn't work correctly with the permissions. I'll be fixing that along with last part of T107555 merging that page with Special:Newsletter. I wrote some of the code for it a few weeks ago but it's not complete yet and I haven't been able to work on it lately. Hopefully will be working on it soon(TM).
Comment Actions
OOUI HTMLForm doesn't fully support forms with multiple sections so I think we might have to have an awful hack to get this done if we want to do it quickly. How HTMLForm creates forms with multiple sections is also awful so fixing the root issue also doesn't seem to be that easy. See T122691.
Comment Actions
Change 269999 had a related patch set uploaded (by Glaisher):
Add manage form to Special:Newsletter
Comment Actions
Instead of above, I decided to have a basic form (which is not very user friendly) with PHP and then use JavaScript to make it nicer and more user-friendly.