Page MenuHomePhabricator
Create Task
Maniphest T241767

Provide infrastructure for changing mentor-related user settings of GrowthExperiments without developer access
Open, Needs TriagePublic
Actions

Description

Currently there is no to change mentor settings (such as the primary and fallback mentor) of the user without having some low-level access, such as direct production DB access. It's bad form in general to deploy a feature that assigns work to volunteers but does not give them any control over the details of how that assignment is done.

There are various plans for adding user interfaces in the GrowthExperiments extension for controlling mentor workflows (see T239234: [EPIC] Newcomer homepage: Mentorship dashboard), but those take non-trivial effort, and it's hard to predict in advance how useful they are going to be, so they have been prioritized down. But we should at least add the infrastructure for allowing external tools to be built for mentor management; that's fairly easy and effectively outsources the design/experimentation work of figuring out what functionality is useful. (See also the second architecture principle.)

This would take the form of a new editmentoroptions user right which allows users to edit mentor-related user options of another user (the extension would include a whitelist of what options those are exactly; at this time, growthexperiments-mentor-id and maybe growthexperiments-mentor-questions in readonly mode for monitoring response times), and a simple ApiOptions-like API for reading/writing those options. Communities could easily build gadget, bot or OAuth based tooling around that.

Currently, these settings are editable by the owner only; this would further expose them to a small set of highly trusted users. Things to consider:

  • security; if some setting values are output as unescaped HTML, users with this permission could perform XSS attacks. (For SQL injection or RCE attacks, it does not make much difference whether it is the owner or someone else who can perform them.) Highly trusted users can already perform XSS attacks in a number of ways so this is not really an issue.
  • robustness: the software would have to assume that all these settings are user input, containing potentially invalid data. (Technically this is already the case since the owner can already write these settings, but there is no reason anyone would do that.) As long as the relevant options are simple strings which are validated by MediaWiki internals (e.g. User::newFromText) this is not much of an issue.
  • privacy: we'd have to ensure the settings that are made available don't contain anything for which the user has a reasonable expectation of privacy (e.g. never expose welcome survey data this way). Again, not a problem for the core use cases.

Related Objects
Search...

Event Timeline

Tgr created this task.Jan 2 2020, 8:18 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 2 2020, 8:18 PM
Urbanecm subscribed.Jan 4 2020, 6:43 PM
Tgr closed this task as a duplicate of T244744: Add interface for changing mentor.Feb 18 2020, 10:48 PM
Tgr reopened this task as Open.Feb 28 2020, 11:59 PM

On second thought, changing mentors is part of this, but listing mentors is still an open issue.

Tgr added a subtask: T244744: Add interface for changing mentor.Feb 28 2020, 11:59 PM
Urbanecm edited subscribers, added: Urbanecm_WMF; removed: Urbanecm.Oct 23 2020, 5:45 PM
Urbanecm_WMF added a comment.Oct 26 2021, 5:00 PM

@Tgr I think this is very similar to (is not the same as) T288878: Mentor dashboard: M2 how to quit mentoring. Do you mind me closing this as a dupe of T288878?

Restricted Application added a project: Growth-Team. · View Herald TranscriptOct 26 2021, 5:00 PM
Tgr added a comment.Oct 26 2021, 10:39 PM

I don't think it's that similar, this is about exposing the mentee-mentor relationship via the API for the purpose of community-built tooling. The mentor dashboard AIUI does not involve any plans for that. Some things do get exposed via the API (the away status, specifically, although only for writing) but most things don't.

mewoph moved this task from Inbox to Needs Discussion on the Growth-Team board.Oct 27 2021, 11:51 PM
MShilova_WMF moved this task from New Tasks to For Later (Triaged tasks) on the GrowthExperiments-Mentorship board.Apr 15 2022, 4:11 PM
MShilova_WMF moved this task from Needs Discussion to Triaged on the Growth-Team board.Aug 9 2022, 6:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits