Page MenuHomePhabricator

Edit history is not available to admins
Open, MediumPublic

Description

Do we need to surface change history for dashboard entities?

Event Timeline

awight raised the priority of this task from to Needs Triage.
awight updated the task description. (Show Details)
awight added subscribers: Luke081515, csteipp, Aklapper and 2 others.

To clarify, why is this marked security? Is it due to people potentially vandalizing EP stuff and not easily being revertable, or is there something more?

[Also it should be noted, not having a history may be in violation of copyright licenses]

This is mainly relevant for courses that are not set to edit Wikipedia. In that case, the course data (who is enrolled, what each enrolled user is assigned, as well as the basic course data, as well as the freeform content of the course description and timeline) is only retained in the latest form.

Only admins and the users who are instructors for a course are allowed to change the description and timeline, though.

This is mainly relevant for courses that are not set to edit Wikipedia. In that case, the course data (who is enrolled, what each enrolled user is assigned, as well as the basic course data, as well as the freeform content of the course description and timeline) is only retained in the latest form.

Only admins and the users who are instructors for a course are allowed to change the description and timeline, though.

Ignoring any legal issues, do you need to track who changed that data for vandalism fighting? If there's no audit of who made the change, that seems like an area ripe for abuse.

This is mainly relevant for courses that are not set to edit Wikipedia. In that case, the course data (who is enrolled, what each enrolled user is assigned, as well as the basic course data, as well as the freeform content of the course description and timeline) is only retained in the latest form.

Only admins and the users who are instructors for a course are allowed to change the description and timeline, though.

Ignoring any legal issues, do you need to track who changed that data for vandalism fighting? If there's no audit of who made the change, that seems like an area ripe for abuse.

No. A course that hasn't yet been submitted is only visible to the person who created it (and admins). After it's been submitted, it is still only editable by the person who created it or by admins. So if there is vandalism of that form, it will be obvious who did it.

csteipp triaged this task as Medium priority.Feb 9 2016, 10:20 PM

I think that if pages with actual content (like the "overview" ones) are automatically mirrored on Wikipedia, then we could just link to the related history page there?

@Elitre
fwiw, we won't be mirroring to the wiki for the MVP. The main reason to avoid that is, we rely on wiki templates which would be completely different across languages.

awight renamed this task from Edit history is not available to Edit history is not available to admins.Feb 27 2016, 6:45 AM
awight set Security to None.

We use the paperclip gem to retain version histories of surveys now. The same functionality could be extended to the basic course data. (Things get considerably more complicated when Timelines are thrown into the mix, since Timelines are composed of many different records / objects. But for now, the P&E dashboard won't make much use of timelines anyway.)