#6392 Per tool user bans

v1.0.1
closed
nobody
General
2015-08-20
2013-06-25
Chris Tsai
No

It should be possible to ban users from posting to individual tools, in case of spam, abuse, etc. There should also be a spot to indicate the reason when banning.

These bans should be collected in a site or neighborhood wide admin page so we can review these periodically in case we want to remove/disable that account site wide.

Related

Tickets: #6392
Tickets: #6709

Discussion

1 2 > >> (Page 1 of 2)
  • Dave Brondsema

    Dave Brondsema - 2013-06-25

    This could be implemented as a part of the ACL system. I think it already has some support for negative ACEs (entries). That'd be cleaner than a separate ban list.

     
  • Chris Tsai - 2013-07-17

    Bump, 7-zip continues to get the occasional spam and this would certainly help their management.

     
  • Dave Brondsema

    Dave Brondsema - 2013-07-22
    • labels: support, p3 --> support, p3, 42cc
    • Milestone: limbo --> forge-backlog
     
  • Dave Brondsema

    Dave Brondsema - 2013-07-22

    A note field could be added to the ACE model to keep track of the ban reason.

    A site-wide or nbhd-wide admin page to show all DENY ACEs isn't critical for this and I think will be very inefficient to find all of those, so let's not plan on doing that now.

     
  • Igor Bondarenko - 2013-07-23
     
  • Igor Bondarenko - 2013-07-23

    Created #403: [#6392] Per tool user bans (4cp)

    How you think a UI should look like?

    Maybe add 'Ban' option in tool admin menu (next to 'Permissions'). Then, on 'ban page' we can have a dropdown with a list of tool's permissions and field for username and ban reason.

    Or you have something different in mind?

     

    Related

    Tickets: #6392

  • Dave Brondsema

    Dave Brondsema - 2013-07-23

    If using DENY in the existing ACL system works (and I hope it does) then I think it should be on the existing permission page and associated with an individual permission (e.g. "post"). I've attached a possibility. When you click on it, we'll need a username field and a place for a note, so a modal dialog might be best. We also need to list existing blocked users. Perhaps those could be listed in the modal dialog too.

     
  • Igor Bondarenko - 2013-07-23

    Makes sense, thanks.

     
  • Igor Bondarenko - 2013-07-23
    • status: open --> in-progress
     
  • Anton Kasyanov - 2013-08-09

    Closed #403, branch 42cc_6392

     
  • Anton Kasyanov - 2013-08-09
    • status: in-progress --> code-review
     
    • QA: Tim Van Steenburgh
    • Milestone: forge-backlog --> forge-sep-06
     
  • I've just started reviewing this, and the first thing I notice is that the implementation doesn't use the existing ACL/ACE security machinery. Is there a reason for that?

     
    • status: code-review --> in-progress
    • QA: Tim Van Steenburgh --> nobody
     
    1. If possible, please implement using the existing ACL/ACE machinery instead of introducing the new block_user attr on the app_config. If not possible, please briefly explain why.
    2. Block User form needs validation. If I submit it blank I get an error and then the permissions page will not load.
    3. I think the Block List is supposed to show the user._id in parentheses next the the username, but I see empty parens. I don't think the _id is really necessary to display there and can be removed.
    4. Change button text on Block List form from 'Delete' to 'Unblock'.
     
  • Igor Bondarenko - 2013-09-05

    Created #432: [#6392] Per tool user bans followup (2cp)

     

    Related

    Tickets: #6392

  • Dave Brondsema

    Dave Brondsema - 2013-09-06
    • Milestone: forge-sep-06 --> forge-sep-20
     
  • Igor Bondarenko - 2013-09-16

    I think the Block List is supposed to show the user._id in parentheses next the the username

    There should be a ban reason. I've hidden the parentheses, when reason isn't specified.


    Closed #432. je/42cc_6392

     
  • Igor Bondarenko - 2013-09-16
    • status: in-progress --> code-review
     
    • QA: Tim Van Steenburgh
     
    • status: code-review --> in-progress
     
  • Couple of things:

    • The Block User form should post via ajax so that any other unsaved permission changes on the page are not wiped out by the page refresh.
    • I believe the code in the update() controller in app.py could be simplified greatly by changing line 735 to:
        if (acl['permission'] == perm) and (str(acl['role_id']) not in group_ids) and acl['access'] != model.ACE.DENY:
    
     
  • Igor Bondarenko - 2013-09-19

    Created #444: [#6392] Make block user form ajax and refactoring (1cp)

     

    Related

    Tickets: #6392

  • Dave Brondsema

    Dave Brondsema - 2013-09-20
    • Milestone: forge-sep-20 --> forge-oct-04
     
  • Igor Bondarenko - 2013-09-24
    • status: in-progress --> code-review
     
1 2 > >> (Page 1 of 2)

Log in to post a comment.