@team, could I get your thoughts on the points below please?
In FAL-1694, we are auditing users across common tools, including the forum. We identified some potential issues with forum user management.
The summary is that since the forum is now public and OpenCraft is expanding, there are many users on the forum. We want to avoid the following situations:
a member of the public signs up to the forum, using a username similar to an opencraft member, and attempts to impersonate them on the forum. This could be for spreading misinformation, phishing, etc.
a user from the public or spambot who posts a malicious url is mistaken for an opencraft member and the url is followed.
newcomers accidentally editing existing posts causing confusion or misinformation. This is currently possible because almost everyone has trust level 4.
Some initial suggestions for consideration:
create a ‘core’ group on the forum. Everyone in this group should also be trust_level_4. modify auto trust level for ‘team’ group to level 3 (so newcomers can’t edit other users’ posts, etc.)
add the opencraft logo flair to the ‘team’ group (this is already done), and ensure that everyone that isn’t in a cell (eg. Xavier, Fox, etc.) have the ‘team’ group as the primary group, so the flair displays.
I’m not sure exactly what happens to forum users after they leave opencraft; do we want them to retain a cell/opencraft flair even after they are deactivated and suspended? How do we want to handle users who wish to remain on the forum with their personal email?
Should we consider a different flair for users who are partners rather than opencraft members - eg. from Fixate? (I’m not sure exactly how these members are treated; it’s new and there isn’t much documentation.)
Note: discussion is private now to avoid giving anyone from the public ideas. We can make it public once we’ve implemented improvements.
Giving different status based on the e-mail domain is already a good step.
Ok if it’s not overloaded with icons and badges and flairs and numbers.
It can help -and maybe it’s already like this- if the special situations break the usual patterns. E.g. if you’re seeing or answering a first post of a user, you should see a warning (something like „this user just registered. Say welcome!“).
Could we also get some notification about new people outside OpenCraft who registered? I see Discourse has notifications (the number over the icon at the top right), we could be warned there about special events.
Yep, the idea is that everyone who is ‘trusted’ or ‘verified’ will have a single flair. So seeing a flair == verified user, and looking more closely at the flair and reading the group text == see which cell or otherwise this user belongs to (eg. serenity flair + ‘Serenity cell member’, or edX logo flair + ‘edX partner’ for example).
Agreed to both of these. I think there already is something when replying to a user’s first post. I’m not sure about notifications; something to investigate.
Yep we already use this to some extent, so this is fine.
Update on this: I updated the primary groups for all non-cell members to be the ‘team’ group, so now all trusted members should have a flair and ‘title’ that can’t be impersonated. Everyone will either have their cell flair, or the opencraft logo flair.
I also dropped the automatic upgrade to trust level 4 for joining the ‘team’ group (which anyone with an opencraft.com email will automatically join). This should prevent future newcomers from automatically getting full level 4 privileges. Now they should get level 3 privileges, which is basically everything except editing/deleting user posts. See https://blog.discourse.org/2018/06/understanding-discourse-trust-levels/ for more information on trust levels.
I just went ahead and did these because these seem non-controversial. Please let me know if there are any issues though.
Note: this is easy - we continue our normal policy, which is updating to a non-opencraft email, and removal from the team group. This will remove their flair, which seems fair I guess.
Note: I’ve since discovered that these members are being treated as normal opencraft members, so no change there.
I don’t think further changes are required? I was initially thinking about core/newcomers groups for more fine grained trust level control, but if a core member needs trust level 4, they can request it from one of the admins. This at least helps combat the potential impersonation attack, if we get used to seeing the flairs and ‘falcon cell’/‘opencraft team’/etc. title on all trusted members.
@swalladge Thanks for the changes and taking care of this!
A request for my title – having a big “OpenCraft CEO” splashed on top of all my posts is maybe a bit much. We try to not focus on titles, so to be in line with what we have for other members of the team, could I get “Non cell member” maybe? And same thing for everyone else not specifically assigned to a cell for now?