Admin Roles: Restrict ability to search for and update users

Description

Only admins with superadmin, policy_and_abuse, open_doors, support, or tag_wrangling roles should

  • have the “Manage Users” menu in the admin navigation, with “Find Users” and “Bulk Email Search” links in the menu

  • be able to access the Find Users and Bulk Email Search pages by following said links

  • be able to perform searches from those pages

  • be able to download a CSV of the results on the Bulk Email Search page

  • be able to see and update a user’s roles after performing a search on the Find Users or Bulk Email Search page

  • be able to see a user’s Fannish Next of Kin after performing a search on the Find Users or Bulk Email Search page

  • access a user admin page by following the “Details” link after performing a search on the Find Users or Bulk Email Search page

  • be able to see all of the user admin page’s content, e.g. buttons, forms, history table

  • be able to use the Manage User Invitations, Add User Invitations, Troubleshoot Account, Send Activation Email, Activate User Account, and Manage User Roles options on the user admin page

Admins with the superadmin or policy_and_abuse role should

  • be able to modify the Fannish Next of Kin on the user admin page

  • be able to record notes or warnings on the user admin page

  • be able to suspend/ban or lift suspension/ban on the user admin page

  • be able to ban and delete all of a spammer’s creations on the user admin page

Admins with the open_doors, support, or tag_wrangling roles should

  • receive an error when attempting to do anything on the previous list

Admins with none of the listed roles should

  • not have the “Manage Users” menu in the admin navigation

  • be redirected and given an error message if they enter the URL to Find Users (https://test.archiveofourown.org/admin/users) or Bulk Email Search (https://test.archiveofourown.org/admin/users/bulk_search) pages, or to a user’s admin page (https://test.archiveofourown.org/admin/users/testy) in their browser bar

UPDATE 20 JULY (Deployed To Test)

  • only admins with the superadmin, policy_and_abuse, or support roles should be able to update a user’s email address

  • only admins with the superadmin, tag_wrangling, or open_doors roles should be able to update a user’s roles

    • please test adding and removing, especially including removing the only role

Activity

Show:
redsummernight
July 23, 2020, 1:51 AM
  • "Just hitting the ‘Update’ button even without changing the email address removes the user role."

  • "We can delete an email address completely and leave it blank."

We'll need to fix these.

While we're at it, it should be possible to print nice validation errors on the users as well (fixing Sammie's point "this seems to be because I was using an email address that the system considered taken"). Right now we're completely bypassing validations when admins save users, which isn't nice.

Matty Lynne
July 24, 2020, 7:18 AM

PAC:

Clicking update or changing the email address does not remove user roles.

I can’t completely remove the email address, if I do the former address reappears after trying to save. If I put in an incomplete address I get an error warning: The user testy could not be updated: Email is invalid Email does not seem to be a valid address. Email should look like an email address.

When I try to use an email address that is already attached to an account I get an error: The user testy could not be updated: Email has already been taken

Sarken
July 28, 2020, 2:43 AM

As a superadmin, I was able to add the tag wrangler role to testy and prova, and I was able to add the translator and archivist roles to testy10 in one go. I could remove roles, too: I removed the only-and-only role for a user, then removed one role and left another, and then removed both of a user’s roles simultaneously. That looks good!

I was also able to change a user’s email address. Attempting to remove the address entirely gave me a success message rather than an error, but the email address remained. I got the same message as Matty when trying to change the email address to one that was missing everything after the @. The message is not ideal – it’s a big run-on sentence – but it’s acceptable for now.

I was able to access a user’s Details page and, while there, add and remove a FNOK and record a note on a user. I suspended a user and then lifted the suspension. I troubleshot the user, gave them some invitations, and accessed their manage invitations page. The button for managing roles took me to the search results page where I could see the user/modify their roles.

I sent an activation email to an unactivated user and then activated their account. Then I posted a work with that account and spam banned it.

I was also able to do a bulk search and download the results.

Looks good!

Heleen
July 28, 2020, 5:40 PM

As Translation admin, I do not have the “manage users” menu

Navigating to the 3 above links redirected me to test.archiveofourown.org/ and gave the error message.

Sarken
July 28, 2020, 11:33 PM

Jessie from Board:

  • I don't have the Manage Users menu, and all three URLs give me the error message

Claudia from Comms showed me a screenshot with the Manage Users menu item missing, which is correct.

DeployedToBeta

Assignee

Elz J

Reporter

Elz J

Roadmap

Admin

Priority

Medium

Affects versions

Fix versions

Components

BackEnd

Difficulty

Medium

Required Access Level

Admin

Epic Link

Milestone

Internal 0.9
Configure