#1570 closed enhancement (fixed)
Reviewer Admin
| Reported by: |  | Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Component: | Plugin Directory | Keywords: | |
| Cc: | 
Description
Enhancements to the standard WordPress plugin to enable plugin reviews.
- Create two Reviewer roles: Plugin Reviewer, Plugin Admin.
- Meta boxes with SVN/Trac Links.
- Internal notes, only viewable to Plugin Admins.
Plugin reviewers can only suggest to accept a plugin, Plugin Admins can change status.
Attachments (2)
Change History (104)
    
      
         
        
This ticket was mentioned in Slack in #meta by obenland. View the logs.
      
      
10 years ago
    
    
  
              
    
      
    #7
  
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
Admin: Approve, Reject, Open, Close, Disable, Contact developer from 'interface' (plus everything a reviewer can do)
Reviewer: Download plugin (have link to it, whichever), leave private review for admin to act on, report plugin to admins for shenanigans.
    
      
    #8
  
          follow-up:
    ↓ 10
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
So a Reviewer would be able to edit_plugins and edit_others_plugins. An Admin could additionally publish_plugins and edit_published_plugins.
In terms of statuses, we currently have pending, rejected, published, disabled, and closed.
Does that sound sane?
    
      
    #9
  
          follow-up:
    ↓ 14
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
I take it edit_plugins doesn't mean they can edit published ones?
Would Reviewers be able to see internal notes? I'm trying to see envision how we'd flag a plugin as reviewed but not approved... pending-not-reviewed, pending-reviewed?
    
      
    #10
  
        in reply to:
    ↑ 8
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
Replying to obenland:
In terms of statuses, we currently have
pending,rejected,published,disabled, andclosed.
What's the difference between disabled and closed?
    
      
    #11
  
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    - disabled still serves updates but cannot be found in search
- closed is fully closed.
Closed is more common. Disabled is for things like we want to push an update to secure a plugin but it's been abandoned.
https://wordpress.org/plugins/custom-content-type-manager/ should probably be disabled, for example.
    
      
    #14
  
        in reply to:
    ↑ 9
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
Replying to Ipstenu:
I'm trying to see envision how we'd flag a plugin as reviewed but not approved... pending-not-reviewed, pending-reviewed?
We could use the built-in draft and pending stati.
    
      
    #16
  
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
Used by @ipstenu when managing plugins:
- Link to SVN repo.
- Revision log.
- Controlling permitted committers.
- Primary author.
I believe all of these are already covered.
    
      
    #19
  
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
It doesn’t look like edit-comment.js can be used for more than once comment box in the edit screen. So for the custom comment type for plugin author communication, I’m looking at either rewriting edit-comments or starting from scratch :/
    
      
    #20
  
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
Bah.
Okay so comments would be useful MOST for plugin reviewers with the plugin authors, hands down. Keeping the official communique in one place wins.
If it comes down to brass tacks, we can use the P2 for reviewers to leave reviews.
- link to plugin
- What they see wrong
They can then flag it un-resolved and an admin/approved reviewer can swoop in and send the official notice.
It's a little back and forth, but in a perfect world would lead to more admins ;)
    
      
         
        
This ticket was mentioned in Slack in #meta by obenland. View the logs.
      
      
10 years ago
    
    
  
              
    
      
    #31
  
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
For the review workflow, see 7 and following.
- Original author should be notified on approval/disapproval.
- We should think about what a re-submit process could look like after a plugin was not approved
I can't think of other actions right now that need to take place during the review, what am I missing?
    
      
         
        
This ticket was mentioned in Slack in #meta by obenland. View the logs.
      
      
10 years ago
    
    
  
              
    
      
    #33
  
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
The review process currently is
- Submit
- Review
- Reject
- Approve
- Work with the author to fix issues (resubmit)
 
The last case there is currently done by keeping the plugin in the pending state, with the author emailing updated zip files to plugins@ in response to the feedback they've received.
My first thought was multiple statuses as part of a Workflow:
- Submitted, awaiting review
- Reviewed, waiting for developer feedback
- Reviewed, waiting for admin feedback (If plugin reviewers need their reviews reviewed by an admin)
- Hold - Reviewed, not waiting for Developer feedback, admin feedback, nor rejected/approved. Basically "This is being discussed".
- Rejected
- Approved
Reviewed, waiting for admin feedback and Hold could be merged together to form a Second Opinion status - basically some way of saying "This has been looked at, and someone else needs to look at it".
@Ipstenu Does the above sound right to you? 
Finally, If a plugin author has uploaded a ZIP originally, Ideally, plugin authors would update that ZIP which the reviewers are reviewing, so plugin owners probably need access to the plugin admin screen before approval.
    
      
    #34
  
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
Hold and 'Reviewed waiting for more admins' can be combined, yes. That works for me :)
Finally, If a plugin author has uploaded a ZIP originally, Ideally, plugin authors would update that ZIP which the reviewers are reviewing, so plugin owners probably need access to the plugin admin screen before approval.
Have we decided then that we're going with uploading zips? I'm neither for it nor against it, but yes, if they're going to be re-uploading, we'll need that.
    
      
    #35
  
          follow-up:
    ↓ 36
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
Is there any plan with regards to the primary existing pain point when having multiple plugin reviewers: the potential for multiple plugin reviewers to step on each other's toes by inadvertently reviewing the same plugin at the same time?
A solution might suggest needing:
- Another post status ("under-review")
- A simple means for a reviewer to claim a plugin (action link in post table and/or button on edit page) and to unclaim the plugin (should they decide not to proceed with review).
- To store reviewer as post meta
- A post column to show reviewer
- A post table filter link to easily take a reviewer to plugins they have under-review. (Though we could limit reviewers to only claiming one at a time, in which case this view wouldn't be necessary and we could just have an admin notice above the plugin posts table saying something like You are currently reviewing <a href="">Plugin Name</a>.)
- To separately store who approved the plugin, again as post meta. (The person may differ from reviewer and recording this may be beneficial for future auditing)
- Possible safeguards to only permit the user who claimed a plugin for review (and admins, of course) to act as the plugin's reviewer (such as being able to mark a plugin as some form of reviewed).
- Possible ability to assign a plugin to another reviewer/admin for review.
In such a setup, reviewers should only proceed with reviews of plugins that they've successfully claimed.
    
      
    #36
  
        in reply to:
    ↑ 35
        ;
          follow-up:
    ↓ 37
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
Replying to coffee2code:
Is there any plan with regards to the primary existing pain point when having multiple plugin reviewers: the potential for multiple plugin reviewers to step on each other's toes by inadvertently reviewing the same plugin at the same time?
We'll be using the built-in post lock. That and a status signaling that that plugin has been reviewed.
    
      
    #37
  
        in reply to:
    ↑ 36
        ;
          follow-up:
    ↓ 38
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
Replying to obenland:
Replying to coffee2code:
Is there any plan with regards to the primary existing pain point when having multiple plugin reviewers: the potential for multiple plugin reviewers to step on each other's toes by inadvertently reviewing the same plugin at the same time?
We'll be using the built-in post lock. That and a status signaling that that plugin has been reviewed.
@coffee2code can correct me if I'm wrong, but I get the impression he's alluding to the fact that a plugin review might not be finished in a single session (a la post locking), thus needing a way to mark it as "In Progress by X reviewer".
    
      
    #38
  
        in reply to:
    ↑ 37
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
Replying to DrewAPicture:
@coffee2code can correct me if I'm wrong, but I get the impression he's alluding to the fact that a plugin review might not be finished in a single session (a la post locking), thus needing a way to mark it as "In Progress by X reviewer".
Yep, what @DrewAPicture said is what I was thinking.
Unlike when actively editing a post (for which a post lock is appropriate), a plugin review happens outside of wp-admin. Once a reviewer has obtained the code (whether it was uploaded or available via a link) they only really need to return to the post to progress the status to the next state. In the meantime, the review is being performed elsewhere and may not occur in a single session.
As well, a reviewer may wish to preemptively claim a few plugins without actually sitting down to do the review(s) right that second. Or their machine or browser may crash. Or they're about to board a flight and would like to review a handful of plugins without having an internet connection. Or we may want to eventually allow assigning reviewers (such as cases requiring deeper security review or to deal with particularly complex code). All of which are not well handled (if at all) by post locking.
    
      
    #41
  
        in reply to:
    ↑ 40
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
Replying to Ipstenu:
So you want an assignment dropdown?
For the reviewer assignment feature part of it, sure (though I wasn't concerned at this stage about a specific implementation). 
My main belief is that we should have a way of explicitly having a reviewer be able to say "I will review this plugin" and make that clear to other reviewers.
That could certainly be done with a dropdown when editing the post (and on quick/bulk edit) whereby reviewers could assign it to themselves. (...which then populates a post meta field which is then used as the data source for a post column that clearly shows the assigned reviewer.)
    
      
    #42
  
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
Replying to obenland:
How about they just write a internal note?
It's not apparent at a glance what plugins are currently being reviewed.
You'd have to visit the edit page for any/all plugin(s) in the queue depending on what you wanted to do or know. If I wanted to review a plugin, I wouldn't relish going down the list and loading each post one by one until I found a plugin that doesn't have a reviewer. (Even if you can tell if a post has internal notes or not, you can't infer a reviewer has claimed it without reading the internal notes of a plugin. And you'd have to read them all, as someone could claim it but after a number of other notes decide not to proceed with the review.)
It's not easy to determine which plugins are specifically assigned to me (or anyone else).
Maybe I've forgotten which one(s) I said I'd review. Or I got sick and asked someone else to take on my reviews. Or a reviewer quit or got kicked off the review team and now their claimed plugins need to be unclaimed/reassigned.
It's not easy to programmatically determine the reviewer for a plugin.
Thus you can't really do any filtering (e.g. list only the plugins I'm reviewing, list only plugins needing a reviewer, list all plugins reviewed by UserX and approved (perhaps they all warrant a re-review), etc) or stats (percentage of plugin queue currently under review; number of reviews Ipstenu has performed last month) or analysis.
    
      
    #43
  
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
Having an assignment drop down would fulfill that. If something is assigned to a person, much like themes, it's THEIR responsibility. The only time it might get chancy is if something is assigned (like Pippin assigns a review to Aaron) and we forget to tell the assignee.
Email: Plugin review x has been assigned to you by Bob.
A custom meta value could do it? Maybe... They're not very sortable as I've learned recently.
    
      
    #48
  
          follow-up:
    ↓ 51
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
@dd32: Should we make Tools\SVN closer to Automattic_SVN? What were your plans for it going forward?
@Ipstenu: Are there any actions we need to execute when post statuses change? I added some for when a plugin gets published/rejected. Is there anything we need to do when one gets hidden, closed etc.
    
      
    #49
  
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
I almost said "Gee wouldn't it be nice if it automatically posted in the P2 and emailed..." except sometimes we close posts and then check to make sure we should have. So ... No nothing needs to be triggered unless I'm forgetting something ( @otto42 @mordauk ?)
    
      
    #51
  
        in reply to:
    ↑ 48
        ;
          follow-up:
    ↓ 60
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
Replying to obenland:
@dd32: Should we make
Tools\SVNcloser toAutomattic_SVN? What were your plans for it going forward?
I was planning to just add wrapper methods for the core functionalities needed (as we need them), rather than the kitchen sink & abstraction that Automattic_SVN offers. I haven't seen a need for extra methods there yet - have I missed something?
    
      
    #60
  
        in reply to:
    ↑ 51
        ;
          follow-up:
    ↓ 63
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
Replying to dd32:
I was planning to just add wrapper methods for the core functionalities needed (as we need them), rather than the kitchen sink & abstraction that
Automattic_SVNoffers. I haven't seen a need for extra methods there yet - have I missed something?
Makes sense. We'll need a way to create a new repo for uploaded plugins once they're approved.
    
      
    #63
  
        in reply to:
    ↑ 60
    
        
          
             @
 @
            
10 years ago
        
    
  
  
    
Replying to obenland:
Replying to dd32:
I was planning to just add wrapper methods for the core functionalities needed (as we need them), rather than the kitchen sink & abstraction that
Automattic_SVNoffers. I haven't seen a need for extra methods there yet - have I missed something?
Makes sense. We'll need a way to create a new repo for uploaded plugins once they're approved.
Yep, SVN::mkdir( $remote_paths ) and SVN::import( $url, $local_path ) will be needed then.
Will need to check how mkdir deals with making */{trunk,tags,branches} and if it can be done in a single remote operation.
We could also get away with using just an import command for /plugin-name/ which includes trunk, branches, tags in the structure already.
    
      
    #65
  
        in reply to:
    ↑ 64
    
        
          
             @
 @
            
9 years ago
        
    
  
  
    
The ONLY catch with this is some people do not want plugins to be active right away. They want to be approved and have the code ready and waiting until they make some public declaration on their websites. Remember we get companies who need to time releases :)
The default should still be 'not active' and need some sanity check from the users, since we're changing a decade of expectation, basically!
    
      
    #66
  
    
        
          
             @
 @
            
9 years ago
        
    
  
  
    
If the trunk readme has a stable tag defined that is other than trunk, does it still fall back to trunk?
It also occurred to me that when a plugin is approved in the directory, it shouldn't show up in the directory until there is a "tagged" version.
    
      
    #68
  
    
        
          
             @
 @
            
9 years ago
        
    
  
  
    If the trunk readme has a stable tag defined that is other than trunk, does it still fall back to trunk?
I believe it does - @otto42 would know for sure.
    
      
    #69
  
    
        
          
             @
 @
            
9 years ago
        
    
  
  
    
If the Stable Tag line is missing entirely, then "trunk" is assumed.
If Stable Tag is set to trunk, then trunk it is.
If Stable Tag is set to XYZ, and /tags/XYZ exists, then that is used.
If Stable Tag is set to ABC, and /tags/ABC does not exist, then "trunk" is assumed.
    
      
    #70
  
    
        
          
             @
 @
            
9 years ago
        
  
    
Note: If the Stable Tag line exists, but it is left blank, then it tries to use the root directory of the plugin. This is a bug, which does not come up a lot. It should use trunk in such a case.
    
      
    #71
  
          follow-up:
    ↓ 72
    
        
          
             @
 @
            
9 years ago
        
    
  
  
    it shouldn't show up in the directory until there is a "tagged" version.
Simple plugins (quite of lot of them, probably the majority) only use trunk, not tagged versions. These should work too, so possibly simply putting the plugin into /trunk alone would work for the initial commit.
    
      
    #72
  
        in reply to:
    ↑ 71
        ;
          follow-up:
    ↓ 73
    
        
          
             @
 @
            
9 years ago
        
    
  
  
    
Replying to Otto42:
Thanks!
So should we refrain from importing the entire plugin to account for authors who'd like to wait with the first release?
    
      
    #73
  
        in reply to:
    ↑ 72
    
        
          
             @
 @
            
9 years ago
        
    
  
  
    
Replying to obenland:
So should we refrain from importing the entire plugin to account for authors who'd like to wait with the first release?
And if the answer is Yes, how should we handle the discrepancy between a published plugin and a "truly" published plugin, one that also has a stable version in the repo.
    
      
         
        
This ticket was mentioned in Slack in #meta by obenland. View the logs.
      
      
9 years ago
    
    
  
              
    
      
    #77
  
        in reply to:
    ↑ 76
        ;
          follow-up:
    ↓ 78
    
        
          
             @
 @
            
9 years ago
        
    
  
  
    
Replying to dd32:
@obenland You should use the
-deleteflag here instead of-exec rm:)
Thanks for taking a look! I tried, but for some reason it doesn't actually remove it. I tried:
 bash
exec( "find {$esc_directory} -name '__MACOSX' -delete" );
Am I missing something?
    
      
    #78
  
        in reply to:
    ↑ 77
    
        
          
             @
 @
            
9 years ago
        
    
  
  
    
Replying to obenland:
Replying to dd32:
@obenland You should use the
-deleteflag here instead of-exec rm:)
Thanks for taking a look! I tried, but for some reason it doesn't actually remove it. I tried:
exec( "find {$esc_directory} -name '__MACOSX' -delete" );Am I missing something?
Doesn't seem like it, It looks like on linux it doesn't remove non-empty directories
This should work, but I don't think it needs changing, I'll take my recommendation back :)
 bash
exec( "find {$esc_directory} -path '*/__MACOSX*' -delete" );
You might also want to look for .DS_Store files from windows-based plugin authors.
    
      
    #79
  
        in reply to:
    ↑ description
    
        
          
             @
 @
            
9 years ago
        
    
  
  
    
Replying to obenland:
Enhancements to the standard WordPress plugin to enable plugin reviews.
- Create two Reviewer roles: Plugin Reviewer, Plugin Admin.
- Meta boxes with SVN/Trac Links.
- Internal notes, only viewable to Plugin Admins.
Plugin reviewers can only suggest to accept a plugin, Plugin Admins can change status.
    
      
    #87
  
          follow-up:
    ↓ 88
    
        
          
             @
 @
            
9 years ago
        
    
  
  
    
FYI, Reviewer Admin is broken right now.
I can view a page, but I cannot edit anything and I have no access to leave comments etc as part of a review.
All I can do is see all posts and edit them and save changes, but I can't make any changes. :|
    
      
    #88
  
        in reply to:
    ↑ 87
    
        
          
             @
 @
            
9 years ago
        
    
  
  
    
Replying to Ipstenu:
FYI, Reviewer Admin is broken right now.
Apologies, there was an error in how I added caps to existing roles. I didn't notice that because I've only been testing the custom roles directly. You should be good to go now.

Got started today on internal notes and experimented a little bit there. Should have something presentable by tomorrow.