@team, could I get your thoughts on the points below please?
In FAL-1694, we are auditing users across common tools, including the forum. We identified some potential issues with forum user management.
The summary is that since the forum is now public and OpenCraft is expanding, there are many users on the forum. We want to avoid the following situations:
a member of the public signs up to the forum, using a username similar to an opencraft member, and attempts to impersonate them on the forum. This could be for spreading misinformation, phishing, etc.
a user from the public or spambot who posts a malicious url is mistaken for an opencraft member and the url is followed.
newcomers accidentally editing existing posts causing confusion or misinformation. This is currently possible because almost everyone has trust level 4.
Some initial suggestions for consideration:
create a âcoreâ group on the forum. Everyone in this group should also be trust_level_4. modify auto trust level for âteamâ group to level 3 (so newcomers canât edit other usersâ posts, etc.)
add the opencraft logo flair to the âteamâ group (this is already done), and ensure that everyone that isnât in a cell (eg. Xavier, Fox, etc.) have the âteamâ group as the primary group, so the flair displays.
Questions:
Iâm not sure exactly what happens to forum users after they leave opencraft; do we want them to retain a cell/opencraft flair even after they are deactivated and suspended? How do we want to handle users who wish to remain on the forum with their personal email?
Should we consider a different flair for users who are partners rather than opencraft members - eg. from Fixate? (Iâm not sure exactly how these members are treated; itâs new and there isnât much documentation.)
Note: discussion is private now to avoid giving anyone from the public ideas. We can make it public once weâve implemented improvements.
Giving different status based on the e-mail domain is already a good step.
Ok if itâs not overloaded with icons and badges and flairs and numbers.
It can help -and maybe itâs already like this- if the special situations break the usual patterns. E.g. if youâre seeing or answering a first post of a user, you should see a warning (something like âthis user just registered. Say welcome!â).
Could we also get some notification about new people outside OpenCraft who registered? I see Discourse has notifications (the number over the icon at the top right), we could be warned there about special events.
Yep, the idea is that everyone who is âtrustedâ or âverifiedâ will have a single flair. So seeing a flair == verified user, and looking more closely at the flair and reading the group text == see which cell or otherwise this user belongs to (eg. serenity flair + âSerenity cell memberâ, or edX logo flair + âedX partnerâ for example).
Agreed to both of these. I think there already is something when replying to a userâs first post. Iâm not sure about notifications; something to investigate.
Yep we already use this to some extent, so this is fine.
Update on this: I updated the primary groups for all non-cell members to be the âteamâ group, so now all trusted members should have a flair and âtitleâ that canât be impersonated. Everyone will either have their cell flair, or the opencraft logo flair.
I also dropped the automatic upgrade to trust level 4 for joining the âteamâ group (which anyone with an opencraft.com email will automatically join). This should prevent future newcomers from automatically getting full level 4 privileges. Now they should get level 3 privileges, which is basically everything except editing/deleting user posts. See https://blog.discourse.org/2018/06/understanding-discourse-trust-levels/ for more information on trust levels.
I just went ahead and did these because these seem non-controversial. Please let me know if there are any issues though.
Note: this is easy - we continue our normal policy, which is updating to a non-opencraft email, and removal from the team group. This will remove their flair, which seems fair I guess.
Note: Iâve since discovered that these members are being treated as normal opencraft members, so no change there.
I donât think further changes are required? I was initially thinking about core/newcomers groups for more fine grained trust level control, but if a core member needs trust level 4, they can request it from one of the admins. This at least helps combat the potential impersonation attack, if we get used to seeing the flairs and âfalcon cellâ/âopencraft teamâ/etc. title on all trusted members.
@swalladge Thanks for the changes and taking care of this!
A request for my title â having a big âOpenCraft CEOâ splashed on top of all my posts is maybe a bit much. We try to not focus on titles, so to be in line with what we have for other members of the team, could I get âNon cell memberâ maybe? And same thing for everyone else not specifically assigned to a cell for now?
I prefer that. I didnât make any suggestion because I didnât have any good ideas, but those are fine with me. See what @antoviaque thinks though :)
