Page MenuHome
Differential D11904

Disable as Spam - admin-only option to handle spammers
ClosedPublic
Actions

Authored by Dalai Felinto (dfelinto) on Jul 13 2021, 9:22 PM.

Details

Reviewers
Sergey Sharybin (sergey)
Summary

This implements a convenient way to handle spam users, mimicking the steps the admins already do manually:

  • Disable Account
  • Real Name -> "spam"
  • Title -> ""
  • Icon → ""
  • Blurb → ""
  • Profile Picture → default

This is disabling the account using the same functionality as the "Disable User" button. And on top of that it replaces the account real name with "spam" and wipe the other personal information.

Note that this doesn't delete any posts from the user.

Diff Detail

Repository
rP Phabricator

Event Timeline

Dalai Felinto (dfelinto) requested review of this revision.EditedJul 13 2021, 9:22 PM
Dalai Felinto (dfelinto) created this revision.

This working in my local installation of phabricator:

Update: The "Set as Spam" button was renamed: "Disable as Spam".

Sergey Sharybin (sergey) requested changes to this revision.Jul 14 2021, 10:09 AM

Please be careful with capabilities and permissions checks. The easiest way to do so is to NOT do any sanity checks in the interface and validate the controllers properly react to actions from users who has different capabilities assigned. This will help catching a lot of issues, but, unfortunately, will not catch all of them. The rest you need to read code carefully, keep aside implicit dependencies on where code is used from, and do checks which has semantic meaning in the local context.

src/applications/people/capability/PeopleDisableSpammerUsersCapability.php
6 ↗(On Diff #39502)

people.disable_spam.users

You don't want capability to actually spam users.

src/applications/people/controller/PhabricatorPeopleProfileEditController.php
37–43 ↗(On Diff #39502)

What is this about?

Its even logically seems wrong. With proper controller implementation you should be able to add new controller and implement logic there without modifying other controllers.

src/applications/people/controller/PhabricatorPeopleProfileManageController.php
96

$has_spam is ambiguous: is it about the profile itself containing spam?
What you mean here is $has_disable_spam_capability.

98

$can_disable_spam.

Also, there is no way to handle hierarchical capabilities in the interface, typical capability checks in the code do not support this, and the code in the controller is written in a way that it only requires spam disable capability. So this line should really be $can_disable_spam = ($has_disable_spam_capability && !$is_self).

203

Disable as Spam

src/applications/people/controller/PhabricatorPeopleSpamController.php
14

Why do you need $via here? You don't route permissions differently for the admin panel and X actions.

44

Indentation?

45

Consistency, and canonical. While TRUE would work, the canonical way of spelling is true. This is also what you've used in other areas of this patch.

src/applications/people/xaction/PhabricatorUserSpamTransaction.php
3 ↗(On Diff #39502)

PhabricatorUserDisableSpamTransaction

6 ↗(On Diff #39502)

user.disable_spam.

Wording is important. Making it clear what performed action is also important.

45–47 ↗(On Diff #39502)

While the statement in the comment is valid, we are in the "disable user as a spammer" action. This actions is, based on reading code above, supposed to have own dedicated capability. which is not validated here.

This revision now requires changes to proceed.Jul 14 2021, 10:09 AM
Sergey Sharybin (sergey) added a comment.Jul 14 2021, 10:11 AM

P.S. The presentation should also be improved. I.e. it sdtates nothing about the newely introduced capability, how it relates to the existing ones.

Dalai Felinto (dfelinto) updated this revision to Diff 39520.Jul 14 2021, 10:35 AM
Dalai Felinto (dfelinto) marked 9 inline comments as done.
  • Handled all the comments from review.
  • Renamed Spammer to Spam in the files and classes.
Dalai Felinto (dfelinto) edited the summary of this revision. (Show Details)Jul 14 2021, 10:38 AM
Dalai Felinto (dfelinto) retitled this revision from Set as Spam - admin-only option to handle spammers to Disable as Spam - admin-only option to handle spammers.
Dalai Felinto (dfelinto) updated this revision to Diff 39522.Jul 14 2021, 10:46 AM

Make sure "Disable as Spam" works even if the name was already set to "spam" (see comments on PhabricatorUserDisableSpamTransaction.cpp::generateNewValue)

Sergey Sharybin (sergey) added inline comments.Jul 14 2021, 11:10 AM
src/applications/people/xaction/PhabricatorUserDisableSpamTransaction.php
15–17

Why this is not taken care of by setContinueOnNoEffect(true) ?

Having a space in the name which will be undistinguishable in the interface does not sound like a great idea. If there are no other ways, maybe use disabled_spam?

Dalai Felinto (dfelinto) updated this revision to Diff 39526.Jul 14 2021, 11:47 AM

From review: use disable_spam

->setContinueOnNoEffect(true) doesn't seem to work in this case, when the new values matches current realName. So I had to resort to set new value to be different than the name.

Dalai Felinto (dfelinto) updated this revision to Diff 39528.Jul 14 2021, 12:49 PM

Typo

Sergey Sharybin (sergey) added inline comments.Jul 14 2021, 1:59 PM
src/applications/people/controller/PhabricatorPeopleSpamController.php
39

Fullstop,

55

Same as above.

src/applications/people/xaction/PhabricatorUserDisableSpamTransaction.php
16–17

The comment does not explain what happens in the case of the name collision.

40

Fullstop.

Dalai Felinto (dfelinto) updated this revision to Diff 39532.Jul 14 2021, 3:47 PM

From review: comments

Sergey Sharybin (sergey) accepted this revision.Jul 14 2021, 3:55 PM

Thanks for the updates.

This revision is now accepted and ready to land.Jul 14 2021, 3:55 PM
Dalai Felinto (dfelinto) closed this revision.Jul 14 2021, 4:25 PM

Thanks Sergey. Pushed to blender-tweaks and blender-tweaks-prod.

James Monteath (jmonteath) added a subscriber: James Monteath (jmonteath).Jul 14 2021, 5:26 PM

Deployed and restarted services.

Revision Contents
Changeset List

Diff 39526

View Options

src/__phutil_library_map__.php

Loading...
View Options

src/applications/people/application/PhabricatorPeopleApplication.php

Loading...
View Options

src/applications/people/capability/PeopleDisableSpamUsersCapability.php

Loading...
View Options

src/applications/people/controller/PhabricatorPeopleProfileManageController.php

Loading...
View Options

src/applications/people/controller/PhabricatorPeopleSpamController.php

Loading...
View Options

src/applications/people/xaction/PhabricatorUserDisableSpamTransaction.php

Loading...