Page MenuHomePhabricator

Message describing OAuth activities is confusing to end user (in context of Wikidata Game)
Closed, ResolvedPublic

Description

Screen shot of the message

Quote from the user (Martha Forsyth) who encountered this:

WikiData: I looked at it, when I went to "log in" I found this notice:

It's the last one that scared me off. I do NOT feel qualified to "Perform administrative actions: Rollback changes to pages; Delete pages, revisions, and log entries" - I could sure handle "rollback changes" but deleting??! Not for me to say!

I haven't looked into the Privacy Policy yet (I will) but this is a VERY scary notice. It LOOKS as if I would be allowing Widar to do things "on my behalf and in my name" COMPLETELY on its own! Now, I doubt that is true - but it sure scared me off, and I was about to dive in!


Version: unspecified
Severity: normal

Attached:

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:39 AM
bzimport set Reference to bz67082.
bzimport added a subscriber: Unknown Object (MLST).

A little more background: this resulted from an effort to try "Wikidata The Game" based on this blog post:

http://wikistrategies.net/wikidata-guest-post-tom-morris/#more-898

Via this link: http://tools.wmflabs.org/wikidata-game/

The issue is with reusing Widar for this game. Since Widar is used for many different tools, you must give it all of those rights when you approve it. So yes, the game would have the ability to delete pages, if an admin decides to play it. The appropriate thing to do would be to register and use another consumer, that requests fewer rights.

If there's another component to this bug, such as how the rights are displayed, or how you're able to access more information about what user rights you're granting when you give an OAuth consumer these rights, feel free to reopen this and clarify.

(In reply to Chris Steipp from comment #2)

So yes, the game would have the ability to delete pages, if an admin decides
to play it. The appropriate thing to do would be to register and use another
consumer, that requests fewer rights.

The game's "Merge items" mode can actually delete pages for you, if you're an admin and check an additional checkbox.

Maybe the dialog shouldn't list the rights that the user doesn't have anyway? (For example, I can confirm that "Delete pages, revisions, and log entries" is shown even if the user is not an admin, which is definitely confusing.)
Would that require us to invalidate the OAuth permissions when the user gets these rights, just in case?

I am glad to see there are some technical issues being surfaced, and I like Bartosz's suggestion, that the tool could be more closely tailored to discussing only the rights the user has. However, I think the bigger issue here is in the way that information is conveyed, rather than the factual accuracy of the information. There are many little issues, that add up to something that's confusing and off-putting to a less technical end-user. I will quote the message's text, with commentary, below:

Hi Martha,
Widar would like to do the following actions on your behalf on www.wikidata.org:

Two problems:

  1. Martha has at this point never heard the name "Widar" before, and will probably never hear it again. The reference to "Widar" is not helpful. Is this a person? A web site? An organization? How would she know, and why should she care what Widar wants?
  2. "would like to" is a strange way to put it. The person who has a desire here is Martha: she wants to play the Wikidata Game. If there are conditions that must be met, that's what she needs to know; not what some abstract entity "wants." Now she is wondering about machine sentience and artificial intelligence, when all she wanted to do was try out a web game!
  • Perform high volume activity high volume editing

I'm not sure I even know what this is referring to. Presumably, some kind of restriction on edits-per-hour is being lifted. I didn't even know such a restriction existed. As an end user, why should Martha care? Why does she even need to know this? How is the information helping her achieve her goal, or how would not knowing harm her?

  • Interact with pages Edit existing pages; Create, edit, and move pages

What is a "page"? Is this referring to Wikidata or Wikipedia? Perhaps this could simply say "Make changes to the Wikidata.org web site"?

  • Perform administrative actions Rollback changes to pages; Delete pages, revisions, and log entries

I think Bartosz has a good suggestion here: if possible, it would be nice if this item could simply be removed for non-administrators. "Rollback" might be a right that a non-admin has, but in many cases she will not even know what "rollback" means. As an admin, I've granted this right to people without discussing it much, and I've seen other admins do this as well. So if there's a way to avoid the jargon "rollback" and instead describe what will actually be done, that would be ideal.

Privacy Policy

I'm not sure why the Privacy Policy is mentioned at all. Whose policy is it? Wikimedia's? Widar's? And why is it relevant? If this is a mere formality, maybe it could be eliminated, or maybe it could be made smaller/lighter grey/moved below the buttons or otherwise de-emphasized.

Aklapper triaged this task as Low priority.Mar 17 2015, 10:57 AM
Aklapper added a subscriber: Aklapper.

Martha has at this point never heard the name "Widar" before, and will probably never hear it again. The reference to "Widar" is not helpful. Is this a person? A web site? An organization? How would she know, and why should she care what Widar wants?

Widar is a name for a service that is used by The Wikidata Game and several other apps to access Wikidata on the user's behalf. I blame @Magnus for naming it in a strange way and I agree that having a separate consumer for the Wikidata Game would be a good solution if only to this problem.

"would like to" is a strange way to put it. The person who has a desire here is Martha: she wants to play the Wikidata Game. If there are conditions that must be met, that's what she needs to know; not what some abstract entity "wants." Now she is wondering about machine sentience and artificial intelligence, when all she wanted to do was try out a web game!

Good point. I'm changing the wording of this and submitting a patch soon.

I'm not sure I even know what this is referring to. Presumably, some kind of restriction on edits-per-hour is being lifted. I didn't even know such a restriction existed. As an end user, why should Martha care? Why does she even need to know this? How is the information helping her achieve her goal, or how would not knowing harm her?

Well, it's an additional permission being granted, and as much as Martha might not care, somebody might. I don't want to go removing information from the interface willy-nilly just because one set of users doesn't really care, at least not without some solution for making sure people who do care still see the information.

What is a "page"? Is this referring to Wikidata or Wikipedia? Perhaps this could simply say "Make changes to the Wikidata.org web site"?

I simplified this a little - the messages already have a parameter that tells you what site(s) are being included. In the case of this particular consumer, it says "on www.wikidata.org", so that's pretty clear already.

I think Bartosz has a good suggestion here: if possible, it would be nice if this item could simply be removed for non-administrators. "Rollback" might be a right that a non-admin has, but in many cases she will not even know what "rollback" means. As an admin, I've granted this right to people without discussing it much, and I've seen other admins do this as well. So if there's a way to avoid the jargon "rollback" and instead describe what will actually be done, that would be ideal.

Agreed. This is a separate task. T94478 the subtask should take care of it.

I'm not sure why the Privacy Policy is mentioned at all. Whose policy is it? Wikimedia's? Widar's? And why is it relevant? If this is a mere formality, maybe it could be eliminated, or maybe it could be made smaller/lighter grey/moved below the buttons or otherwise de-emphasized.

I'll take the bold styling out at least. Seems a bit too strong to me.

Patch incoming, thanks!

Change 200730 had a related patch set uploaded (by MarkTraceur):
Clarify messages, de-emphasize privacy policy

https://gerrit.wikimedia.org/r/200730

  • Perform administrative actions Rollback changes to pages; Delete pages, revisions, and log entries

I think Bartosz has a good suggestion here: if possible, it would be nice if this item could simply be removed for non-administrators. "Rollback" might be a right that a non-admin has, but in many cases she will not even know what "rollback" means. As an admin, I've granted this right to people without discussing it much, and I've seen other admins do this as well. So if there's a way to avoid the jargon "rollback" and instead describe what will actually be done, that would be ideal.

If a user has rollback rights without knowing what that means, they probably shouldn't have them.

  • Perform administrative actions Rollback changes to pages; Delete pages, revisions, and log entries

I think Bartosz has a good suggestion here: if possible, it would be nice if this item could simply be removed for non-administrators. "Rollback" might be a right that a non-admin has, but in many cases she will not even know what "rollback" means. As an admin, I've granted this right to people without discussing it much, and I've seen other admins do this as well. So if there's a way to avoid the jargon "rollback" and instead describe what will actually be done, that would be ideal.

If a user has rollback rights without knowing what that means, they probably shouldn't have them.

Two problems with this:

(1) I believe the message is delivered *regardless of whether or not the user has rollback rights* -- if so, that should be changed to eliminate something irrelevant and confusing to those who do not have any reason to have ever heard of rollback rights. (Remember, The Wikipedia Game is intended to be highly accessible to newbies!)

(2) Even if it is the case that a user has the rollback right and doesn't know what it is -- perhaps through no fault or direct action of her own, because an administrator gave out the right without fully explaining it -- is sending her a confusing message an appropriate way to deal with that? I have no problem with your point that "they probably shouldn't have them" -- sure, remove the right if you feel it's important. But a confusing message is not a helpful step on the path to removing the right, and serves only to confuse the user.

<snip>

Patch incoming, thanks!

Hi Mark, thank you for your attention to this. Would you mind summarizing the end result you are sending out in a patch? (Or, if it's going to be live soon, just letting us know a date when we can look for ourselves?)

I suppose it would also be desirable to allow tools to request authorisation with OAuth for standard rights as opposed to whatever rights the user has.

I may be an admin and allowed to delete pages and perform high volume edits. That doesn't mean I want every external tool I authenticate to have all rights I have on-wiki.

It seems more natural to associate OAuth requests for "basic rights" with the default definition of that term, not the current user's.

The down side is that a tool would then need additional user interaction to offer and expose the extra rights (e.g. separate "Enable admin actions" or "Enable high volume editing" buttons). But I think that explicit action is worth the overhead and more expected from a UX point of view.

I suppose it would also be desirable to allow tools to request authorisation with OAuth for standard rights as opposed to whatever rights the user has.

[...]

It seems more natural to associate OAuth requests for "basic rights" with the default definition of that term, not the current user's.

Err, that's how OAuth already works. "Basic rights" is the access an app gets when it doesn't request anything more advanced such as "Edit existing pages". You can see the full list of these grant "packages" and what rights they enable at Special:OAuth/grants.

The proposal here (also in T94478) seems to be that if the app is registered for "Delete pages, revisions, and log entries" but the user doesn't actually have any of the relevant rights, then the authorization screen wouldn't bother to show that line (and OAuth wouldn't actually grant it). If the user later got promoted, they'd have to reauthorize the app to enable that grant.

(e.g. separate "Enable admin actions" or "Enable high volume editing" buttons)

Unless I've forgotten, it's not easily possible to implement such buttons as the "request authorization" flow doesn't allow the app to request only a subset of the grants that it is registered to be able to ask for. If someone actually wanted to do that instead of requesting permission for all the app's registered grants up front, it could probably be done easily enough.

<snip>

Unless I've forgotten, it's not easily possible to implement such buttons as the "request authorization" flow doesn't allow the app to request only a subset of the grants that it is registered to be able to ask for. If someone actually wanted to do that instead of requesting permission for all the app's registered grants up front, it could probably be done easily enough.

@Anomie, it sounds like there is an aspect of the issue that is specific to The Wikidata Game, rather than the implementation of OAuth. If I understand it correctly, the Wikidata Game -- designed to give newbies an easy way to add information to Wikidata -- would never need to use anything more than basic rights. So perhaps it is somewhat "greedy" for advanced rights in its design, and could be recoded so that it never requests administrative privileges?

If that is the case, any suggestions about how to pass on a request to Magnus would be appreciated. He has not been responding to queries on his Commons talk page for several months, at least. https://commons.wikimedia.org/wiki/User_talk:Magnus_Manske

If I understand it correctly, the Wikidata Game -- designed to give newbies an easy way to add information to Wikidata -- would never need to use anything more than basic rights. So perhaps it is somewhat "greedy" for advanced rights in its design, and could be recoded so that it never requests administrative privileges?

It looks like the Wikidata Game allowed administrators to directly delete items after merging, but this ability has been removed (or at least hidden) with 3c9dd72cc3a7.

Change 200730 merged by jenkins-bot:
Clarify messages, de-emphasize privacy policy

https://gerrit.wikimedia.org/r/200730

Tgr added a subscriber: Tgr.May 12 2015, 1:48 PM

Hi Mark, thank you for your attention to this. Would you mind summarizing the end result you are sending out in a patch? (Or, if it's going to be live soon, just letting us know a date when we can look for ourselves?)

It should go live today, if I am counting correctly.

Tgr added a comment.May 12 2015, 1:52 PM

I think everything here has been taken care of or has a more specific task. Which rights to display is T94478, fixing the privacy policy link is T64686, the general design overhaul (including clearer identification of the site and the application) is T75062, the rest of the suggestions have been implemented by Mark via tweaks to the language. Did I miss anything or can we close this as resolved?

Tgr added a comment.May 12 2015, 1:58 PM

"Rollback" might be a right that a non-admin has, but in many cases she will not even know what "rollback" means. As an admin, I've granted this right to people without discussing it much, and I've seen other admins do this as well. So if there's a way to avoid the jargon "rollback" and instead describe what will actually be done, that would be ideal.

Different presentations work best in different context, unfortunately the software needs to present the permission request of every app the same way (although the ability for the app author to add footnotes to explain why each specific right is needed would be nice). An anti-vandalism tool might request rollback rights and nothing else (or rollback + some rights completely unrelated to editing), in which case omitting it would be very misleading.

@Ricordisamoa proposed changing some of the wording back in https://gerrit.wikimedia.org/r/#/c/208010/

I agree that the previous wording was more correct, and wouldn't mind seeing it change back. But I agree mark's wording is less scary for users. Is there a way we can be both accurate and friendly in the wording?

Is there a way we can be both accurate and friendly in the wording?

By using both short summaries (like "Interact with pages") and detailed information (such as "Create, edit, and move pages").
"Make changes to pages" does not add any information within that context.

bd808 closed this task as Resolved.Sep 30 2015, 5:56 PM
bd808 claimed this task.

I merged the revert to the "Create, edit, and move pages" wording for the 'createeditmovepage' grant in https://gerrit.wikimedia.org/r/#/c/208010/. Let's call this one done. The bikeshed has paint and it will keep the rain from rotting the wood.

Ricordisamoa set Security to None.
Ricordisamoa removed a subscriber: gerritbot.