Page MenuHomePhabricator
Create Task
Maniphest T337635

Create API endpoint for receiving report data
Closed, ResolvedPublic5 Estimated Story Points
Actions

Description

The incident report form is a client-side application. When the user clicks the submit button, we will POST the data to a REST API endpoint managed by the ReportIncident extension.

The API endpoint should:

  • require the user to be authenticated to submit
  • validate the POST body for the following:
    • user ID of person being reported
    • revision ID for the page, when the user launched the "report" app
    • [pending the DiscussionTools integration] comment ID (optional, used if report button clicked in context of the comment)
    • [pending the DiscussionTools integration] topic ID / heading text (used if report button clicked in context of the header, also sent as additional metadata to help locate a comment in a page)
    • details text
    • abuse types
    • ? (any other fields in the form, each one listed as a parameter)

For validated POST body, the endpoint should then:

  • send an email containing contents (email content to be determined, cc @Madalina to create a separate task to document what the email subject line and contents should look like) to a list of email addresses determined by a configuration variable in extension.json
  • in the HTTP response, provide a success/failure message and code, so that the client-side app can inform the user in case of failure.

The API endpoint should have rate limits (T345813: Implement rate limits for submitting data to ReportIncident API) in place for authenticated users, as a basic precaution to limit abuse.

User story:

As a user, when I click submit I expect an email containing my report to be sent to foundation email address.

  • create an API endpoint to handle sending emails
  • the endpoint should be rate limited (T345813)

[not-for-this-iteration] The endpoint should not allow users to submit duplicate submissions. This depends on having a database table to track submissions, though. We could define duplicate submission as having all of the same:

  • user ID of submitter
  • user ID of alleged harasser
  • revision ID for the page
  • topic ID
  • comment ID

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
api: Add endpoint to receive report datamediawiki/extensions/ReportIncidentmaster+534 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

JKieserman created this task.May 27 2023, 6:24 PM
MShilova_WMF moved this task from Needs triage to Kanban on the Trust and Safety Tools Team Backlog board.May 30 2023, 4:42 PM
MShilova_WMF edited projects, added Trust and Safety Tools Team Backlog (Kanban); removed Trust and Safety Tools Team Backlog.
MShilova_WMF moved this task from Kanban to Needs triage on the Trust and Safety Tools Team Backlog board.Jun 12 2023, 5:32 PM
MShilova_WMF edited projects, added Trust and Safety Tools Team Backlog; removed Trust and Safety Tools Team Backlog (Kanban).
JKieserman renamed this task from [ FR PoC ] email workflow for reports to Create API endpoint for emailing.Jun 13 2023, 6:25 PM
JKieserman updated the task description. (Show Details)
JKieserman added a subscriber: kostajh.

@kostajh mind adding additional technical details for this task? Are there any example endpoints we should model this off of?
@Madalina could you confirm what email address we should be using?

Madalina added a comment.Jun 14 2023, 12:12 PM

We need to create a dummy email address, need to investigate how to do that.

kostajh renamed this task from Create API endpoint for emailing to Create API endpoint for receiving report data.Jul 6 2023, 10:29 AM
kostajh updated the task description. (Show Details)
In T337635#8931206, @Madalina wrote:

We need to create a dummy email address, need to investigate how to do that.

We can create a Google Group mailing list with WMF's account, and subscribe engineers and other interested people to it. Or we can use our individual emails with the +reportincident identifier, e.g. kharlan+reportincident@wikimedia and then in our Gmail filters, we can route email sent to the +reportincident identifier to a specific folder, or automatically archive/delete, etc.

kostajh updated the task description. (Show Details)Jul 6 2023, 10:33 AM
kostajh updated the task description. (Show Details)Jul 6 2023, 11:27 AM
kostajh updated the task description. (Show Details)
kostajh claimed this task.Aug 23 2023, 11:19 AM
kostajh updated the task description. (Show Details)Aug 25 2023, 12:58 PM
kostajh removed a subscriber: JKieserman.
kostajh added a comment.Aug 25 2023, 1:15 PM

cc @Madalina to create a separate task to document what the email subject line and contents should look like)

@Madalina, could you create a task for this please, and link it with this one? Thank you!

gerritbot added a comment.Aug 25 2023, 2:41 PM

Change 952458 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/ReportIncident@master] [WIP] api: Add endpoint receiving report data from form

https://gerrit.wikimedia.org/r/952458

gerritbot added a project: Patch-For-Review.Aug 25 2023, 2:41 PM
Madalina added a subtask: T344997: Define email content and subject line.Aug 25 2023, 3:24 PM
kostajh edited projects, added Trust and Safety Tools Team Backlog (Kanban); removed Trust and Safety Tools Team Backlog.Aug 29 2023, 3:26 PM
kostajh moved this task from 🎬 Ready to 💻 In Progress on the Trust and Safety Tools Team Backlog (Kanban) board.
kostajh added a comment.EditedAug 30 2023, 1:15 PM

We'll create subtasks for:

  • sending the email
  • posting form contents from the dialog
Madalina set the point value for this task to 5.Aug 30 2023, 1:18 PM
kostajh mentioned this in T345257: Wire the reporting form to the API endpoint.Aug 30 2023, 2:22 PM
kostajh added a parent task: T345257: Wire the reporting form to the API endpoint.
kostajh updated the task description. (Show Details)Sep 1 2023, 12:49 PM
kostajh mentioned this in T345256: Send email based on form submission.Sep 5 2023, 12:03 PM
Madalina changed the status of subtask T345256: Send email based on form submission from Open to Stalled.Sep 5 2023, 1:19 PM
kostajh updated the task description. (Show Details)Sep 5 2023, 3:37 PM
kostajh mentioned this in T345813: Implement rate limits for submitting data to ReportIncident API.Sep 7 2023, 10:43 AM
kostajh updated the task description. (Show Details)Sep 7 2023, 1:43 PM
kostajh changed the status of subtask T345256: Send email based on form submission from Stalled to Open.Sep 8 2023, 12:18 PM
gerritbot added a comment.Sep 18 2023, 6:52 PM

Change 952458 merged by jenkins-bot:

[mediawiki/extensions/ReportIncident@master] api: Add endpoint to receive report data

https://gerrit.wikimedia.org/r/952458

kostajh mentioned this in rEREI35dff238b186: api: Add endpoint to receive report data.Sep 18 2023, 6:53 PM
ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.27; 2023-09-19).Sep 18 2023, 7:00 PM
Maintenance_bot removed a project: Patch-For-Review.Sep 18 2023, 7:10 PM
kostajh closed subtask T344997: Define email content and subject line as Resolved.Sep 19 2023, 7:17 PM
kostajh updated the task description. (Show Details)
kostajh moved this task from 💻 In Progress to 🐛 QA on the Trust and Safety Tools Team Backlog (Kanban) board.Sep 25 2023, 5:07 PM
kostajh updated the task description. (Show Details)
Djackson-ctr subscribed.Sep 25 2023, 8:10 PM

I have verified that data is posted to a REST API endpoint, but there are 2 more items listed in the ticket Description that can't be verified at the moment:
create an API endpoint to handle sending emails (Email group has not been created or configured yet)
the endpoint should be rate limited (T345813) (this ticket is still being developed, and from looking at the ticket comments its also waiting on T338804 Inform the user about the success or failure of submitting a report to be developed)

@Madalina do you want me to put this ticket into Hold / Stalled status until those 2 items are completed or do you want to take a different approach for this ticket?

Madalina added a comment.Sep 26 2023, 2:14 PM

@Djackson-ctr let's move it to On Hold for now

Djackson-ctr moved this task from 🐛 QA to ⌛ On Hold / Blocked on the Trust and Safety Tools Team Backlog (Kanban) board.Sep 26 2023, 4:06 PM
Madalina added a comment.Sep 29 2023, 12:07 PM

Email address has been created, let's use: incident-report-system-beta@wikimedia.org.

Dreamy_Jazz moved this task from ⌛ On Hold / Blocked to 🐛 QA on the Trust and Safety Tools Team Backlog (Kanban) board.Oct 23 2023, 11:07 PM
Dreamy_Jazz subscribed.

T345813 is in QA, so that shouldn't block this any further.

For the endpoint that handles sending emails this is done in T345256 which is also in QA, so that shouldn't block this either.

Moving this back to QA for @Djackson-ctr to look at this again and move to the done column if appropriate now.

Djackson-ctr added a comment.Oct 25 2023, 3:51 AM

I have verified the information listed in the ticket Description has been implemented and is displaying and functioning as expected at https://ko.wikipedia.beta.wmflabs.org/w/index.php?title=사용자토론:Bluedot&uselang=en

Djackson-ctr moved this task from 🐛 QA to 🤘 Done on the Trust and Safety Tools Team Backlog (Kanban) board.Oct 25 2023, 3:52 AM
Dreamy_Jazz closed this task as Resolved.Oct 25 2023, 1:02 PM
Dreamy_Jazz closed subtask T345813: Implement rate limits for submitting data to ReportIncident API as Resolved.
Dreamy_Jazz closed subtask T345256: Send email based on form submission as Resolved.Oct 25 2023, 1:05 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits