Page MenuHomePhabricator

Restrict creation of calendar items due to spam
Closed, ResolvedPublic

Description

as we get spam like https://phabricator.wikimedia.org/E1269

Maybe to members of Trusted-Contributors and WMF-NDA ?

Event Timeline

Aklapper created this object with visibility "Custom Policy".
Aklapper added subscribers: Marostegui, mmodell.
Aklapper closed this task as Resolved.EditedDec 22 2020, 10:23 AM
Aklapper claimed this task.

No replies/comments, so I took the liberty to change "Default Edit Policy" on https://phabricator.wikimedia.org/applications/edit/PhabricatorCalendarApplication/ from
All Users
to
admins or members of: { WMF-NDA or Trusted-Contributors or #acl*security or #acl*sre-team}. (Lacking any better guidelines which of our many funny acl thingies would make sense).

Let's see who will complain about Phab's cryptic error messages, and if they'll complain in a place that I'll get aware of.</phabblues>

This comment was removed by Aklapper.

Yes, let me do that (thanks for the ping).

Aklapper changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 22 2021, 10:20 AM
Aklapper changed the visibility from "Public (No Login Required)" to "Custom Policy".

FAIL. Doesn't work as expected. No idea why.
Created E1338 with my other account and that's not a member of https://phabricator.wikimedia.org/project/members/3104/

Unassigning due to Phab being frustratingly non-obvious.

As far as I know "Default edit policy" only controls who can edit entries after they are created, not who can create them.

Thanks Majavah, you're probably right.

Maybe we'd need to change "Can Use Application" instead of "Default Edit Policy" on https://phabricator.wikimedia.org/applications/edit/PhabricatorCalendarApplication/ but it's ironic, because I do would like people to be able to *view* stuff.

Maybe these settings don't allow achieving what I want: Everyone can view stuff, but not everyone can create stuff. Sigh.

Submissions are controlled by policies on the forms not on the application.

T258599 could probably use the same solution.

Aklapper claimed this task.

Oh thanks a lot! Alright, first, I finally need to develop a mental model that some stuff is under application settings while other stuff is under forms.

Second, I don't think that Trusted-Contributors is ever sufficient as I soon expect numerous support requests from staff etc to drop into my inbox, as Phab's error message is as vague as can. I also added WMF-NDA to https://phabricator.wikimedia.org/transactions/editengine/calendar.event/edit/25/ and https://phabricator.wikimedia.org/transactions/editengine/calendar.event/edit/44/ , probably there should be more but what do I remember. :)

Aklapper changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 25 2021, 9:51 AM