alaveteli
alaveteli copied to clipboard
Add ability for administrator to delete an unconfirmed request
Currently a request drafted is held until a users' email address is confirmed.
On a couple of occasions recently inappropriate draft requests (eg. requests for personal information, or general correspondence) have come to administrators' attention and ideally it would have been possible to delete them to prevent them being sent.
This would need something like a moderation queue (#75)
Or a delete button for post redirects.
Just noting that in the last WDTK catchup we mentioned that given its infrequent volunteers can email developers to do this. If it becomes more frequent we can consider some more UI for it.
Can probably find out how many of these there are with something like
User.
where(email_confirmed: false).
map { |user| [user.id, user.post_redirects.where(uri: '/new').count] }
Currently have lots of unconfirmed users, so doing this in raw SQL would be much faster:
User.where(email_confirmed: false).count
# => 12751
Today a WhatDoTheyKnow user specifically requested we delete a draft request on the grounds they'd accidentally included their real name in it, when they were intending to make a request under a pseudonym.
+1 There was an issue yesterday with a user whose draft request would have breached the house rules and potentially been problematic.
There is a risk in these cases that an admin follows the confirmation link and a problematic message gets sent - by an admin.
It has been suggested that this issue might be related to deleting drafts (https://github.com/mysociety/alaveteli/issues/7049)
It has been suggested that this issue might be related to deleting drafts (#7049)
These are different. This ticket is essentially about being able to delete a PostRedirect
. #7049 is about deleting AlaveteliPro::DraftInfoRequest
and AlaveteliPro::DraftInfoRequestBatch
records.
I have just done some testing around this. I created a new request to the test quango and registered a new account. I logged in to the system and banned the account that I had just created. I then went into the email account linked to the test account and clicked on the confirmation link. The request was sent to the test Quango despite the fact that the account had been banned. Had an admin clicked on the link it is likely the same thing would happen.
tl;dr banning a user in advance is not a solution.