Default user permissions on i.a.o/bh issue tracker.

[Joachim Dreimann <jo...@wandisco.com>]

There seems to be some concern around our current policy of not allowing
anonymous users to report issues, and especially not allowing registered
users to report/edit/comment on tickets by default.

We've had several people speak out in favour of changing this, arguing it
would be for the best of the community.

As a first step I propose that we give all registered users the
editor_group permissions:
TICKET_CREATE
TICKET_EDIT_DESCRIPTION
TICKET_MODIFY (which implies commenting permissions)
WIKI_CREATE
WIKI_MODIFY

This would be done immediately and before implementing
http://trac.edgewall.org/wiki/SpamFilter or similar unless someone
volunteers to do so soon.

Any objections?

Cheers,
Joe


On 16 April 2013 17:17, Olemis Lang <ol...@gmail.com> wrote:

> On 4/16/13, Joachim Dreimann <jo...@wandisco.com> wrote:
> > On 16 April 2013 16:34, Ryan Ollos <ry...@wandisco.com> wrote:
> >> On Thu, Apr 11, 2013 at 9:01 AM, Joachim Dreimann <
> >> joachim.dreimann@wandisco.com> wrote:
> >>
> [...]
> >>
> >> Yes, I think that we should be concerned that our barrier to posting an
> >> issue or other contribution may be too high at the moment. If I came to
> >> the
> >> site and couldn't immediately register and create a ticket, I may go
> away
> >> and never report the issue.
> >>
> >
> > I am very concerned by this and would probably do the same as you. In
> fact
> > I may not even bother to register. If registration is required I usually
> > look for a project twitter account and send them a tweet reporting the
> bug.
> >
>
> I second that . I've been concerned about this for a long while . In
> my real life connected experience
>
>   1. I do not fill sign up forms in web sites . That's what
>       OpenId is for . Bloodhound has been the exception
>       since many years ago .
>   2. Forbid users to send us bug reports is something I
>       do not understand . The way I see it users are contributing
>       back to us . That makes no sense to me . IMO authenticated
>       users should be granted with permissions to
>       interact with the i.a.o/bh web site .
>
> > If they reply to me with something like "Thanks, but we won't take action
> > unless you resubmit via our website after registration" I know they value
> > process over action and will avoid dealing with them in future.
> >
>
> Definitely sure . Besides *they* are deliberately wasting your time
> ... I'd rather send them a message saying «welcome to the new open web
> fellows»
>
> >
> >>
> >> I'll look into what we might do and propose some additional suggestions
> >> as
> >> part of the work on #503.
> >>
> >> The guys who setup trac-hacks felt that registration was even too high
> of
> >> a
> >> barrier, so it's possible to create an anonymous ticket on that site.
> >> That
> >> comes with other problems that I won't go into here, but I'll just say
> >> that
> >> spam is not a significant problem on trac-hacks.org, even though we are
> >> still running a very old version of SpamFilterPlugin. I monitor the RSS
> >> feed for both trac-hacks.org and trac.edgewall.org and see only a dozen
> >> or
> >> so instances of spam per week on each site; sometimes more, sometimes
> >> none.
> >> Cleaning up the spam on the former doesn't take up much of my time - I
> >> just
> >> spend a few minutes reviewing the RSS feed each morning and delete any
> >> spam
> >> that has come through.
> >>
> >
> > I also review ticket changes / user registrations for spam. I haven't
> seen
> > any evidence of it in significant numbers. That includes spam
> registrations
> > that our current system doesn't prevent.
> >
> > I would grant every new registration permissions to create and comment on
> > tickets by default and try to catch out bots using some basic techniques
> > that users would never see (ie no captcha).
> >
>
> fwiw +
> right now it's incredibly important for us to attract user interest
> than dealing with «non-significant» spamming threats .
>
> --
> Regards,
>
> Olemis.
>



-- 
Joe Dreimann | *User Experience Designer* | WANdisco<http://www.wandisco.com/>

@jdreimann <https://twitter.com/jdreimann>
*
*
*Join one of our free daily demo sessions on* *Scaling Subversion for the
Enterprise <http://www.wandisco.com/training/webinars>*

THIS MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL, PROPRIETARY, AND MAY BE
PRIVILEGED.  If this message was misdirected, WANdisco, Inc. and its
subsidiaries, ("WANdisco") does not waive any confidentiality or privilege.
 If you are not the intended recipient, please notify us immediately and
destroy the message without disclosing its contents to anyone.  Any
distribution, use or copying of this e-mail or the information it contains
by other than an intended recipient is unauthorized.  The views and
opinions expressed in this e-mail message are the author's own and may not
reflect the views and opinions of WANdisco, unless the author is authorized
by WANdisco to express such views or opinions on its behalf.  All email
sent to or from this address is subject to electronic storage and review by
WANdisco.  Although WANdisco operates anti-virus programs, it does not
accept responsibility for any damage whatsoever caused by viruses being
passed.

Re: Default user permissions on i.a.o/bh issue tracker.

[Branko Čibej <br...@wandisco.com>]

On 16.04.2013 21:16, Joe Dreimann wrote:
> On 16 Apr 2013, at 19:53, Branko Čibej <br...@wandisco.com> wrote:
>
>> On 16.04.2013 20:34, Gary Martin wrote:
>>> On 16/04/13 19:19, Branko Čibej wrote:
>>>> On 16.04.2013 18:59, Joachim Dreimann wrote:
>>>>> There seems to be some concern around our current policy of not
>>>>> allowing
>>>>> anonymous users to report issues, and especially not allowing
>>>>> registered
>>>>> users to report/edit/comment on tickets by default.
>>>>>
>>>>> We've had several people speak out in favour of changing this,
>>>>> arguing it
>>>>> would be for the best of the community.
>>>>>
>>>>> As a first step I propose that we give all registered users the
>>>>> editor_group permissions:
>>>>> TICKET_CREATE
>>>>> TICKET_EDIT_DESCRIPTION
>>>>> TICKET_MODIFY (which implies commenting permissions)
>>>>> WIKI_CREATE
>>>>> WIKI_MODIFY
>>>>>
>>>>> This would be done immediately and before implementing
>>>>> http://trac.edgewall.org/wiki/SpamFilter or similar unless someone
>>>>> volunteers to do so soon.
>>>>>
>>>>> Any objections?
>>>> None at all.
>>>>
>>>> Regarding registration ... note that issues.apache.org/jira requires it
>>>> in order to create or modify tickets. But it's only an e-mail
>>>> verification thing.
>>>>
>>>> Maybe we somehow combine ticket creation and registration (at least
>>>> e-mail address submission) into one step? Something along these lines:
>>>> the ticket-create dropdown and form would be available to anonymous
>>>> users, but before submitting the ticket, we'd ask them to either log in,
>>>> or provide an e-mail address -- thus implicitly registering, and we'd
>>>> follow that up with e-mail verification.
>>>>
>>>> I would not allow comments or other ticket modifications from anonymous
>>>> users.
>>>>
>>>> -- Brane
>>> Well, it would be useful to allow for comments so that you can ask
>>> someone a question about the ticket they raised or get back
>>> confirmation that it worked for them if they wanted to.
>>>
>>> Apart from that, it is a very good question whether that is as odious
>>> a process as having to do a capcha. The trick maybe to convince them
>>> to still submit the ticket they just wrote out when they have to then
>>> go through another few steps to complete.
>>>
>>> I wonder if it would be possible to have a system to moderate tickets
>>> and comments prior to raising for anonymous users?
>> The point of not allowing comments from anonymous users is that it's
>> kind of hard to figure out who the author is. The same holds for ticket
>> submissions; but, if an anonymous submission is accompanied by an e-mail
>> address, then at least you have /some/ ID that you can cross-reference
>> from. And since submitting a ticket already requires filling in a
>> (small) number of fields, adding an e-mail field wouldn't hurt as much
>> as for comments.
>>
>> -- Brane
>>
> trac.edgewall.org simply shows a section for Author both when commenting and when creating tickets, asking for the author's email address:
>
> New ticket: http://trac.edgewall.org/newticket?type=defect
> Comment: http://trac.edgewall.org/ticket/65
>
> Design wise I see no issues with us doing the same.

Nice. I expect they maintain some sort of identity tracking across
requests using cookies? Ah, I see a trac_session cookie, so I guess
that's the one we'd use, too.

-- Brane


-- 
Branko Čibej
Director of Subversion | WANdisco | www.wandisco.com

Re: Default user permissions on i.a.o/bh issue tracker.

[Joachim Dreimann <jo...@wandisco.com>]

Based on this discussion I have now re-introduced the "authenticated" user
group and given it the following permissions:  TICKET_CREATE,
TICKET_EDIT_DESCRIPTION, TICKET_MODIFY, WIKI_MODIFY

I have also tested it successfully. Every registered user can now create,
edit and comment on tickets, and also modify wiki pages once he/she is
verified.

I did come across what I would consider an error though: Registered users
that haven't yet validated their email address get shown the quick ticket
dialogue, which does not complain about their permissions. However once the
ticket is submitted it returns an "Internal server error", instead of the
usual confirmation that the ticket has been raised.

In my opinion we should either show a clear message up front along the
lines of: "You need to validate your email address before you can create
tickets. [resend validation email]" or queue up created tickets to only be
inserted once the email address has been validated.

I think we should also move the registration link out of the Apps dropdown
(renamed 'More' in my next commit) and into the metanav:
[Login] / [Register]    [Preferences]    [Help/Guide]

Cheers,
Joe


On 17 April 2013 06:38, Alexander Heusingfeld <ah...@goldstift.de>wrote:

> Hi all,
>
> generally I agree 100% to Gary's arguments.
>
> To give you another use case:
> Requiring only the authors email for ticket creation comes in very handy
> especially for tool support: Think of a "Report this bug" button! In case
> of an error it shows up, the user presses it, enters his email in a popup
> and click submit.
> That's very convenient for the user and the software author gets much more
> feedback! A similar approach is currently used in IntelliJ IDEA.
>
> Cheers
> Alex
>
> On 17.04.2013, at 07:22, Branko Čibej <br...@wandisco.com> wrote:
>
> > On 16.04.2013 23:30, Andrej Golcov wrote:
> >> I think that the user registration provides better long-term relation
> >> between user and site than an e-mail entry on comment or ticket. For
> >> example, the problem that I see with t.e.o:
> >> - e-mail changing is not possible for submitted comments
> >> - if comment was submitted with email, the user cannot edit it.
> >>
> >> Supporting both ways is also, IMO, is not good: imagine that user once
> >> sent a feedback with email and another time as registered user -
> >> things can be confusing.
> >>
> >> So, my 2 cents to require user registration, but make it simple and
> >> clear (may be with support of openid or/and google accounts) and with
> >> subsequent redirect to the original url e.g. ticket creation url.
> >
> > Frankly, I don't think it'll work. I'd prefer requiring registration
> > before allowing people to create tickets; but most reporters just won't
> > bother. It's the same as mailing lists: if we allowed only posts from
> > subscribed addresses, we'd never get any feedback.
> >
> > -- Brane
> >
> > --
> > Branko Čibej
> > Director of Subversion | WANdisco | www.wandisco.com
> >
>



-- 
Joe Dreimann | *User Experience Designer* | WANdisco<http://www.wandisco.com/>

@jdreimann <https://twitter.com/jdreimann>
*
*
*Join one of our free daily demo sessions on* *Scaling Subversion for the
Enterprise <http://www.wandisco.com/training/webinars>*

THIS MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL, PROPRIETARY, AND MAY BE
PRIVILEGED.  If this message was misdirected, WANdisco, Inc. and its
subsidiaries, ("WANdisco") does not waive any confidentiality or privilege.
 If you are not the intended recipient, please notify us immediately and
destroy the message without disclosing its contents to anyone.  Any
distribution, use or copying of this e-mail or the information it contains
by other than an intended recipient is unauthorized.  The views and
opinions expressed in this e-mail message are the author's own and may not
reflect the views and opinions of WANdisco, unless the author is authorized
by WANdisco to express such views or opinions on its behalf.  All email
sent to or from this address is subject to electronic storage and review by
WANdisco.  Although WANdisco operates anti-virus programs, it does not
accept responsibility for any damage whatsoever caused by viruses being
passed.

Re: Default user permissions on i.a.o/bh issue tracker.

[Alexander Heusingfeld <ah...@goldstift.de>]

Hi all,

generally I agree 100% to Gary's arguments. 

To give you another use case:
Requiring only the authors email for ticket creation comes in very handy especially for tool support: Think of a "Report this bug" button! In case of an error it shows up, the user presses it, enters his email in a popup and click submit. 
That's very convenient for the user and the software author gets much more feedback! A similar approach is currently used in IntelliJ IDEA.

Cheers
Alex

On 17.04.2013, at 07:22, Branko Čibej <br...@wandisco.com> wrote:

> On 16.04.2013 23:30, Andrej Golcov wrote:
>> I think that the user registration provides better long-term relation
>> between user and site than an e-mail entry on comment or ticket. For
>> example, the problem that I see with t.e.o:
>> - e-mail changing is not possible for submitted comments
>> - if comment was submitted with email, the user cannot edit it.
>> 
>> Supporting both ways is also, IMO, is not good: imagine that user once
>> sent a feedback with email and another time as registered user -
>> things can be confusing.
>> 
>> So, my 2 cents to require user registration, but make it simple and
>> clear (may be with support of openid or/and google accounts) and with
>> subsequent redirect to the original url e.g. ticket creation url.
> 
> Frankly, I don't think it'll work. I'd prefer requiring registration
> before allowing people to create tickets; but most reporters just won't
> bother. It's the same as mailing lists: if we allowed only posts from
> subscribed addresses, we'd never get any feedback.
> 
> -- Brane
> 
> -- 
> Branko Čibej
> Director of Subversion | WANdisco | www.wandisco.com
> 

Re: Default user permissions on i.a.o/bh issue tracker.

[Branko Čibej <br...@wandisco.com>]

On 16.04.2013 23:30, Andrej Golcov wrote:
> I think that the user registration provides better long-term relation
> between user and site than an e-mail entry on comment or ticket. For
> example, the problem that I see with t.e.o:
>  - e-mail changing is not possible for submitted comments
>  - if comment was submitted with email, the user cannot edit it.
>
> Supporting both ways is also, IMO, is not good: imagine that user once
> sent a feedback with email and another time as registered user -
> things can be confusing.
>
> So, my 2 cents to require user registration, but make it simple and
> clear (may be with support of openid or/and google accounts) and with
> subsequent redirect to the original url e.g. ticket creation url.

Frankly, I don't think it'll work. I'd prefer requiring registration
before allowing people to create tickets; but most reporters just won't
bother. It's the same as mailing lists: if we allowed only posts from
subscribed addresses, we'd never get any feedback.

-- Brane

-- 
Branko Čibej
Director of Subversion | WANdisco | www.wandisco.com

Re: Default user permissions on i.a.o/bh issue tracker.

[Andrej Golcov <an...@digiverse.si>]

I think that the user registration provides better long-term relation
between user and site than an e-mail entry on comment or ticket. For
example, the problem that I see with t.e.o:
 - e-mail changing is not possible for submitted comments
 - if comment was submitted with email, the user cannot edit it.

Supporting both ways is also, IMO, is not good: imagine that user once
sent a feedback with email and another time as registered user -
things can be confusing.

So, my 2 cents to require user registration, but make it simple and
clear (may be with support of openid or/and google accounts) and with
subsequent redirect to the original url e.g. ticket creation url.

Cheers, Andrej

Re: Default user permissions on i.a.o/bh issue tracker.

[Joe Dreimann <jo...@wandisco.com>]

On 16 Apr 2013, at 19:53, Branko Čibej <br...@wandisco.com> wrote:

> On 16.04.2013 20:34, Gary Martin wrote:
>> On 16/04/13 19:19, Branko Čibej wrote:
>>> On 16.04.2013 18:59, Joachim Dreimann wrote:
>>>> There seems to be some concern around our current policy of not
>>>> allowing
>>>> anonymous users to report issues, and especially not allowing
>>>> registered
>>>> users to report/edit/comment on tickets by default.
>>>> 
>>>> We've had several people speak out in favour of changing this,
>>>> arguing it
>>>> would be for the best of the community.
>>>> 
>>>> As a first step I propose that we give all registered users the
>>>> editor_group permissions:
>>>> TICKET_CREATE
>>>> TICKET_EDIT_DESCRIPTION
>>>> TICKET_MODIFY (which implies commenting permissions)
>>>> WIKI_CREATE
>>>> WIKI_MODIFY
>>>> 
>>>> This would be done immediately and before implementing
>>>> http://trac.edgewall.org/wiki/SpamFilter or similar unless someone
>>>> volunteers to do so soon.
>>>> 
>>>> Any objections?
>>> None at all.
>>> 
>>> Regarding registration ... note that issues.apache.org/jira requires it
>>> in order to create or modify tickets. But it's only an e-mail
>>> verification thing.
>>> 
>>> Maybe we somehow combine ticket creation and registration (at least
>>> e-mail address submission) into one step? Something along these lines:
>>> the ticket-create dropdown and form would be available to anonymous
>>> users, but before submitting the ticket, we'd ask them to either log in,
>>> or provide an e-mail address -- thus implicitly registering, and we'd
>>> follow that up with e-mail verification.
>>> 
>>> I would not allow comments or other ticket modifications from anonymous
>>> users.
>>> 
>>> -- Brane
>> 
>> Well, it would be useful to allow for comments so that you can ask
>> someone a question about the ticket they raised or get back
>> confirmation that it worked for them if they wanted to.
>> 
>> Apart from that, it is a very good question whether that is as odious
>> a process as having to do a capcha. The trick maybe to convince them
>> to still submit the ticket they just wrote out when they have to then
>> go through another few steps to complete.
>> 
>> I wonder if it would be possible to have a system to moderate tickets
>> and comments prior to raising for anonymous users?
> 
> The point of not allowing comments from anonymous users is that it's
> kind of hard to figure out who the author is. The same holds for ticket
> submissions; but, if an anonymous submission is accompanied by an e-mail
> address, then at least you have /some/ ID that you can cross-reference
> from. And since submitting a ticket already requires filling in a
> (small) number of fields, adding an e-mail field wouldn't hurt as much
> as for comments.
> 
> -- Brane
> 

trac.edgewall.org simply shows a section for Author both when commenting and when creating tickets, asking for the author's email address:

New ticket: http://trac.edgewall.org/newticket?type=defect
Comment: http://trac.edgewall.org/ticket/65

Design wise I see no issues with us doing the same.

- Joe

> 
> -- 
> Branko Čibej
> Director of Subversion | WANdisco | www.wandisco.com
> 

Re: Default user permissions on i.a.o/bh issue tracker.

[Branko Čibej <br...@wandisco.com>]

On 16.04.2013 20:34, Gary Martin wrote:
> On 16/04/13 19:19, Branko Čibej wrote:
>> On 16.04.2013 18:59, Joachim Dreimann wrote:
>>> There seems to be some concern around our current policy of not
>>> allowing
>>> anonymous users to report issues, and especially not allowing
>>> registered
>>> users to report/edit/comment on tickets by default.
>>>
>>> We've had several people speak out in favour of changing this,
>>> arguing it
>>> would be for the best of the community.
>>>
>>> As a first step I propose that we give all registered users the
>>> editor_group permissions:
>>> TICKET_CREATE
>>> TICKET_EDIT_DESCRIPTION
>>> TICKET_MODIFY (which implies commenting permissions)
>>> WIKI_CREATE
>>> WIKI_MODIFY
>>>
>>> This would be done immediately and before implementing
>>> http://trac.edgewall.org/wiki/SpamFilter or similar unless someone
>>> volunteers to do so soon.
>>>
>>> Any objections?
>> None at all.
>>
>> Regarding registration ... note that issues.apache.org/jira requires it
>> in order to create or modify tickets. But it's only an e-mail
>> verification thing.
>>
>> Maybe we somehow combine ticket creation and registration (at least
>> e-mail address submission) into one step? Something along these lines:
>> the ticket-create dropdown and form would be available to anonymous
>> users, but before submitting the ticket, we'd ask them to either log in,
>> or provide an e-mail address -- thus implicitly registering, and we'd
>> follow that up with e-mail verification.
>>
>> I would not allow comments or other ticket modifications from anonymous
>> users.
>>
>> -- Brane
>>
>
> Well, it would be useful to allow for comments so that you can ask
> someone a question about the ticket they raised or get back
> confirmation that it worked for them if they wanted to.
>
> Apart from that, it is a very good question whether that is as odious
> a process as having to do a capcha. The trick maybe to convince them
> to still submit the ticket they just wrote out when they have to then
> go through another few steps to complete.
>
> I wonder if it would be possible to have a system to moderate tickets
> and comments prior to raising for anonymous users?

The point of not allowing comments from anonymous users is that it's
kind of hard to figure out who the author is. The same holds for ticket
submissions; but, if an anonymous submission is accompanied by an e-mail
address, then at least you have /some/ ID that you can cross-reference
from. And since submitting a ticket already requires filling in a
(small) number of fields, adding an e-mail field wouldn't hurt as much
as for comments.

-- Brane


-- 
Branko Čibej
Director of Subversion | WANdisco | www.wandisco.com

Re: Default user permissions on i.a.o/bh issue tracker.

[Gary Martin <ga...@wandisco.com>]

On 16/04/13 19:19, Branko Čibej wrote:
> On 16.04.2013 18:59, Joachim Dreimann wrote:
>> There seems to be some concern around our current policy of not allowing
>> anonymous users to report issues, and especially not allowing registered
>> users to report/edit/comment on tickets by default.
>>
>> We've had several people speak out in favour of changing this, arguing it
>> would be for the best of the community.
>>
>> As a first step I propose that we give all registered users the
>> editor_group permissions:
>> TICKET_CREATE
>> TICKET_EDIT_DESCRIPTION
>> TICKET_MODIFY (which implies commenting permissions)
>> WIKI_CREATE
>> WIKI_MODIFY
>>
>> This would be done immediately and before implementing
>> http://trac.edgewall.org/wiki/SpamFilter or similar unless someone
>> volunteers to do so soon.
>>
>> Any objections?
> None at all.
>
> Regarding registration ... note that issues.apache.org/jira requires it
> in order to create or modify tickets. But it's only an e-mail
> verification thing.
>
> Maybe we somehow combine ticket creation and registration (at least
> e-mail address submission) into one step? Something along these lines:
> the ticket-create dropdown and form would be available to anonymous
> users, but before submitting the ticket, we'd ask them to either log in,
> or provide an e-mail address -- thus implicitly registering, and we'd
> follow that up with e-mail verification.
>
> I would not allow comments or other ticket modifications from anonymous
> users.
>
> -- Brane
>

Well, it would be useful to allow for comments so that you can ask 
someone a question about the ticket they raised or get back confirmation 
that it worked for them if they wanted to.

Apart from that, it is a very good question whether that is as odious a 
process as having to do a capcha. The trick maybe to convince them to 
still submit the ticket they just wrote out when they have to then go 
through another few steps to complete.

I wonder if it would be possible to have a system to moderate tickets 
and comments prior to raising for anonymous users?

Cheers,
     Gary

Re: Default user permissions on i.a.o/bh issue tracker.

[Branko Čibej <br...@wandisco.com>]

On 16.04.2013 18:59, Joachim Dreimann wrote:
> There seems to be some concern around our current policy of not allowing
> anonymous users to report issues, and especially not allowing registered
> users to report/edit/comment on tickets by default.
>
> We've had several people speak out in favour of changing this, arguing it
> would be for the best of the community.
>
> As a first step I propose that we give all registered users the
> editor_group permissions:
> TICKET_CREATE
> TICKET_EDIT_DESCRIPTION
> TICKET_MODIFY (which implies commenting permissions)
> WIKI_CREATE
> WIKI_MODIFY
>
> This would be done immediately and before implementing
> http://trac.edgewall.org/wiki/SpamFilter or similar unless someone
> volunteers to do so soon.
>
> Any objections?

None at all.

Regarding registration ... note that issues.apache.org/jira requires it
in order to create or modify tickets. But it's only an e-mail
verification thing.

Maybe we somehow combine ticket creation and registration (at least
e-mail address submission) into one step? Something along these lines:
the ticket-create dropdown and form would be available to anonymous
users, but before submitting the ticket, we'd ask them to either log in,
or provide an e-mail address -- thus implicitly registering, and we'd
follow that up with e-mail verification.

I would not allow comments or other ticket modifications from anonymous
users.

-- Brane

-- 
Branko Čibej
Director of Subversion | WANdisco | www.wandisco.com