Bug #17651
closedRemove ability to create Docs for Users
Added by Raymond Hoh almost 2 years ago. Updated almost 2 years ago.
0%
Description
Luke stumbled upon this issue on the call today.
If you are logged in and hover over the admin bar sticky menu on the top-right corner, the "My Docs > Create New Doc" menu item is available. If clicked, this allows users to create new docs, however we only want to allow doc creation through an individual group.
Let's remove this menu item.
Files
non-group-doc-settings-17651.php (753 Bytes) non-group-doc-settings-17651.php | Boone Gorges, 2023-02-16 01:37 PM | ||
non-group-doc-settings-17651.php (871 Bytes) non-group-doc-settings-17651.php | Boone Gorges, 2023-02-16 03:13 PM |
Updated by Raymond Hoh almost 2 years ago
I've removed the "My Docs > Create New Doc" admin bar menu item in https://github.com/cuny-academic-commons/cac/commit/f6384200c1c0b7bbe87bdee8966132e4ba70f8bb. This will be a part of next Tuesday's maintenance release.
I have a question about the Docs Directory page: https://commons.gc.cuny.edu/docs/
. This page is still accessible if one knows the URL. Do we want to redirect away from this page? Also if you view the Docs Directory, there are quite a few docs created by users that are not connected to a group. Some are using Docs for classes, essays, blog posts, cover letters, etc. This suggests that there may be some utility in keeping doc creation for users...
Updated by Matt Gold almost 2 years ago
Thanks, Ray. For those docs unconnected with a group, are many of them recent -- say, over the last 6-12 months?
Updated by Raymond Hoh almost 2 years ago
Thanks, Ray. For those docs unconnected with a group, are many of them recent -- say, over the last 6-12 months?
44 docs from February 2022 until now.
Updated by Boone Gorges almost 2 years ago
#17654 is a case where the ability to create Docs outside of groups caused some problems. Summary:
- A user created a doc via commons.gc.cuny.edu/docs/create
- The buddypress-group-in-docs plugin, which assumes that no doc creation will happen outside of groups, removed the 'Access Control' dropdowns. See https://github.com/cuny-academic-commons/cac/blob/a55d47faf5d88a2fa7e6378130bd8c00f689178d/wp-content/plugins/buddypress-docs-in-group/includes/bpdig.php#L146
- As a result, the user's new doc was created without any access control settings being saved in the database at all. Docs then fell back on the permissive default settings (including 'edit=loggedin'), with no indication that this was the case, and no ability to change the defaults.
- Some other spammy user knew enough about this to take advantage.
So I think we need to be more aggressive than Ray's changes. I've added two additional things:
1. Show Access Settings when you're looking at the Create/Edit page outside of a group. This will at least give users the ability to see and change the Access Controls. https://github.com/cuny-academic-commons/cac/commit/bbf46db0deeb3d3a8775d00c4fb20427b4c44c8d
2. Redirect away from commons.gc.cuny.edu/docs/create. https://github.com/cuny-academic-commons/cac/commit/7aba56511dbe36daf93fdc7711ae2232cd21a34a
This should fix the issue for the future.
As for existing items, it's possible to write a script that goes through and changes the Edit setting to 'The Doc author only' for each Doc that wasn't created in the context of a group. This would cause a problem if there were instances where someone was specifically using Docs to collaborate with someone outside of a group, but I would guess that there are zero or close-to-zero instances like this, and in those instances they could just manually configure the access settings. What do others think of this?
Updated by Raymond Hoh almost 2 years ago
As for existing items, it's possible to write a script that goes through and changes the Edit setting to 'The Doc author only' for each Doc that wasn't created in the context of a group.
I think that should be fine.
I just did a query to determine if there were any user docs with multiple authors and this only returned two results:This would cause a problem if there were instances where someone was specifically using Docs to collaborate with someone outside of a group, but I would guess that there are zero or close-to-zero instances like this
- https://commons.gc.cuny.edu/docs/hotmail-log-in/history/ - Luke's recent doc that was updated with spam within a day
- https://commons.gc.cuny.edu/docs/facilitation-sign-up-2/history/ - Legit doc from 2015
Updated by Boone Gorges almost 2 years ago
- File non-group-doc-settings-17651.php non-group-doc-settings-17651.php added
- Status changed from New to Resolved
- Target version set to 2.1.2
Thanks for that, Ray. I wrote and ran the attached script, so I think we are done here.
Updated by Raymond Hoh almost 2 years ago
Hi Boone, was just looking over the script and I think there's a typo. Line 31 should be changed from:
update_post_meta( $doc_id, 'bp_docs_settings', true );
to:
update_post_meta( $doc_id, 'bp_docs_settings', $doc_settings );
Updated by Boone Gorges almost 2 years ago
Thanks, Ray. A bleary-eyed mistake. I fixed it with the attached.