WordPress.org

Making WordPress.org

Opened 18 months ago

Last modified 5 months ago

#3962 new defect

Tracbot: Delete slack posts when the related trac ticket is deleted.

Reported by: peterwilsoncc Owned by:
Milestone: Priority: low
Component: Slack & IRC Keywords:
Cc:

Description

When spammers create a trac ticket, the process to delete all traces requires a Slack owner to delete the associated posts by tracbot in Slack.

It would be helpful if tracbot could delete the posts automatically (essentially giving trac gardeners delete rights by proxy.

Currently new trac tickets, comments and uploading attachments post to the slack channels:

#core (new tickets, title only)
#core-newticket (new tickets, title and description)
#core-firehose (all interactions, title and description/comment)

Tracbot also inserts the title and description following mentions of the ticket number.

Change History (5)

#1 @netweb
18 months ago

+1

p.s. Don't forget the bb's and the meta channel equivalents

#2 follow-up: @dd32
18 months ago

  • Priority changed from normal to low

Unfortunately Trac doesn't have any webhook-type system to detect ticket deletions, which makes this a little more complicated.

The push notifications to Slack actually occur through an Trac Email which gets processed by a PHP script which then sends the data out.

Other complications include the fact that if you delete a ticket, a replacement ticket can take that number, you'd have to avoid removing all ticket references to #12345 and instead target #12345: I'm spam

There's a few options:

  1. Since this is usually only the most recent tickets, run a cronjob every 5 minutes which checks the latest few tickets match their Slack messages
  2. Hook in to the ticket deletion page with JS and run a callback upon the button being clicked (It'd probably have to call a w.org script and queue up a job to run in ~10 seconds to check the ticket was actually deleted) which goes in to delete the messages
  3. Add a tool to w.org somewhere for privileged users to delete ticket references or slack messages.
  4. Grant Slack Admin rights to more users so that they can clean up spam as needed.

Some of those are more viable than others, No 2 is probably the most ideal option here.

#3 @chriscct7
18 months ago

I have to ask others quite often to delete Slack messages for tickets that were submitted as spam or security (instead of it going to hackerone). Having this automated or some way to do it where I don't have to find someone to do the Slack side of it would be really helpful, particularly when people report security things.

The push notifications to Slack actually occur through an Trac Email which gets processed by a PHP script which then sends the data out.

That's insane but cool at the same time. It makes sense I guess.

Some thoughts on the options presented:

With option 2, we'd need to be careful that someone can't just start hitting that endpoint directly or crafting inline HTML to trigger that process.

With option 1, I'm not sure that assumption can be assumed. For example, with ticket 45419 (whose number did not get reused), I only noticed it after maybe 30 - 60 minutes of it being submitted, then posted in security to see if anyone else concurred with my thought that it should be pulled, and IanDunn deleted it about 20 minutes later, once a mini-consensus was established. Particularly for busy trac days (in terms of gardening), periods of the day (especially weekends) where most people are not monitoring slack, and times when a lot of things are going on in Slack, tickets might not be noticed right away.

Version 0, edited 18 months ago by chriscct7 (next)

#4 in reply to: ↑ 2 ; follow-up: @SergeyBiryukov
6 months ago

Replying to dd32:

Since this is usually only the most recent tickets, run a cronjob every 5 minutes which checks the latest few tickets match their Slack messages

Just noting that this option doesn't seem viable to me, as a ticket could be renamed for legitimate reasons (e.g. fixing a typo or adding more context to the title).

Grant Slack Admin rights to more users so that they can clean up spam as needed.

This seems to be the simplest option for now, to ensure that all timezones are covered, and someone with the appropriate caps is always around.

#5 in reply to: ↑ 4 @netweb
5 months ago

Replying to SergeyBiryukov:

Replying to dd32:

Grant Slack Admin rights to more users so that they can clean up spam as needed.

This seems to be the simplest option for now, to ensure that all timezones are covered, and someone with the appropriate caps is always around.

Either this, or I had wondered if a "Slack Gardeners Group" could be created, not sure if a user group could be assigned "delete" to allow this, or if this is only available for Slack admins.

The other option, possibly a custom integration or bot could perform this, then said gardeners group would be the only users who have access to this integration/bot

Note: See TracTickets for help on using tickets.