alaveteli icon indicating copy to clipboard operation
alaveteli copied to clipboard

Add ability for administrator to delete an unconfirmed request

Open RichardTaylor opened this issue 8 years ago • 8 comments

Currently a request drafted is held until a users' email address is confirmed.

On a couple of occasions recently inappropriate draft requests (eg. requests for personal information, or general correspondence) have come to administrators' attention and ideally it would have been possible to delete them to prevent them being sent.

RichardTaylor avatar Sep 24 '16 12:09 RichardTaylor

This would need something like a moderation queue (#75)

garethrees avatar Oct 24 '16 11:10 garethrees

Or a delete button for post redirects.

garethrees avatar Oct 24 '16 13:10 garethrees

Just noting that in the last WDTK catchup we mentioned that given its infrequent volunteers can email developers to do this. If it becomes more frequent we can consider some more UI for it.

garethrees avatar Sep 22 '17 13:09 garethrees

Can probably find out how many of these there are with something like

User.
  where(email_confirmed: false).
  map { |user| [user.id, user.post_redirects.where(uri: '/new').count] }

Currently have lots of unconfirmed users, so doing this in raw SQL would be much faster:

User.where(email_confirmed: false).count
# => 12751

garethrees avatar Sep 22 '17 13:09 garethrees

Today a WhatDoTheyKnow user specifically requested we delete a draft request on the grounds they'd accidentally included their real name in it, when they were intending to make a request under a pseudonym.

RichardTaylor avatar Jul 15 '19 14:07 RichardTaylor

+1 There was an issue yesterday with a user whose draft request would have breached the house rules and potentially been problematic.

There is a risk in these cases that an admin follows the confirmation link and a problematic message gets sent - by an admin.

RichardTaylor avatar Aug 09 '22 10:08 RichardTaylor

It has been suggested that this issue might be related to deleting drafts (https://github.com/mysociety/alaveteli/issues/7049)

RichardTaylor avatar Aug 09 '22 10:08 RichardTaylor

It has been suggested that this issue might be related to deleting drafts (#7049)

These are different. This ticket is essentially about being able to delete a PostRedirect. #7049 is about deleting AlaveteliPro::DraftInfoRequest and AlaveteliPro::DraftInfoRequestBatch records.

garethrees avatar Aug 09 '22 11:08 garethrees

I have just done some testing around this. I created a new request to the test quango and registered a new account. I logged in to the system and banned the account that I had just created. I then went into the email account linked to the test account and clicked on the confirmation link. The request was sent to the test Quango despite the fact that the account had been banned. Had an admin clicked on the link it is likely the same thing would happen.

tl;dr banning a user in advance is not a solution.

FOIMonkey avatar Aug 18 '22 20:08 FOIMonkey