WordPress.org

Making WordPress.org

Opened 5 months ago

Last modified 5 months ago

#3962 new defect

Tracbot: Delete slack posts when the related trac ticket is deleted.

Reported by: peterwilsoncc Owned by:
Milestone: Priority: low
Component: Slack & IRC Keywords:
Cc:

Description

When spammers create a trac ticket, the process to delete all traces requires a Slack owner to delete the associated posts by tracbot in Slack.

It would be helpful if tracbot could delete the posts automatically (essentially giving trac gardeners delete rights by proxy.

Currently new trac tickets, comments and uploading attachments post to the slack channels:

#core (new tickets, title only)
#core-newticket (new tickets, title and description)
#core-firehose (all interactions, title and description/comment)

Tracbot also inserts the title and description following mentions of the ticket number.

Change History (3)

#1 @netweb
5 months ago

+1

p.s. Don't forget the bb's and the meta channel equivalents

#2 @dd32
5 months ago

  • Priority changed from normal to low

Unfortunately Trac doesn't have any webhook-type system to detect ticket deletions, which makes this a little more complicated.

The push notifications to Slack actually occur through an Trac Email which gets processed by a PHP script which then sends the data out.

Other complications include the fact that if you delete a ticket, a replacement ticket can take that number, you'd have to avoid removing all ticket references to #12345 and instead target #12345: I'm spam

There's a few options:

  1. Since this is usually only the most recent tickets, run a cronjob every 5 minutes which checks the latest few tickets match their Slack messages
  2. Hook in to the ticket deletion page with JS and run a callback upon the button being clicked (It'd probably have to call a w.org script and queue up a job to run in ~10 seconds to check the ticket was actually deleted) which goes in to delete the messages
  3. Add a tool to w.org somewhere for privileged users to delete ticket references or slack messages.
  4. Grant Slack Admin rights to more users so that they can clean up spam as needed.

Some of those are more viable than others, No 2 is probably the most ideal option here.

#3 @chriscct7
5 months ago

I have to ask others quite often to delete Slack messages for tickets that were submitted as spam or security (instead of it going to hackerone). Having this automated or some way to do it where I don't have to find someone to do the Slack side of it would be really helpful, particularly when people report security things.

The push notifications to Slack actually occur through an Trac Email which gets processed by a PHP script which then sends the data out.

That's insane but cool at the same time. It makes sense I guess.

Some thoughts on the options presented:

With option 2, we'd need to be careful that someone can't just start hitting that endpoint directly or crafting inline HTML to trigger that process.

With option 1, I'm not sure that assumption can be assumed. For example, with ticket 45419 (whose number did not get reused), I only noticed it after maybe 30 - 60 minutes of it being submitted, then posted in security to see if anyone else concurred with my thought that it should be pulled, and IanDunn deleted it about 20 minutes later, once a mini-consensus was established, so in that example (and most others) 5 minutes would not be enough time. Particularly for busy trac days (in terms of gardening), periods of the day (especially weekends) where most people are not monitoring slack, and times when a lot of things are going on in Slack, tickets might not be noticed right away.

Last edited 5 months ago by chriscct7 (previous) (diff)
Note: See TracTickets for help on using tickets.