Opened 3 years ago
Last modified 3 years ago
#5937 new enhancement
Extend the possibility for leaving a plugin or theme review
Reported by: | Clorith | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Component: | General | Keywords: | |
Cc: |
Description
Disclaimer: This is for sharing an extended idea, and is not an absolute solution, or implementation guide.
Now that we've got the formalities out of the way, currently to write a review for a plugin or theme on WordPress.org, you need to create an account, this is fine, but since WordPress.org does not have SSO (Single Sign On), it means users need yet another account, this is a barrier for many.
With the addition of Application Passwords, we could investigate other avenues to help plugin and them e authors encourage reviewing their solutions, there are pros and cons to this of course, which I'll get back to shortly.
If an anonymous user goes to write a review, ask them for their WordPress website URL as well. When the review is submitted, it would then be possible to validate their site, _and_ that they have the plugin or theme installed before leaving a review. After the validation is done, the token should be removed from WordPress.org, as there's no scenario where we would want to sit on the potential access to who knows how many sites.
One drawback is that anyone leaving a negative review is unlikely to have the plugin or theme still installed, I think the contrast could be drawn that they'd then not have a problem making an account to share their disapproval in the first place.
Alternatively, the app password request could be used to authenticate against a website, grab their account e-mail, and use it as an avenue to create (and approve) their account with WordPress.org in as smooth a transition as possible.
Regardless of approaches, it would need to pass through abuse detection of some form, like anything else, what options do we have to prevent abuse here? Anyone can spin up a WordPress site fairly easily these days, what potential abuse do we envision, and how do we work against each of these?
This could be used to signup under temporary emails we would normally filter out.
Any normal signup flow precautions should be applied like before
Someone could spam reviews for plugins or themes via single use sites.
Should we detect high activity on plugin or theme reviews/forums in the first place to trigger a "slow down" or similar for ensuring nobody is being targeted? (probably a different ticket, but a potential fix)
Those were two quick thoughts to get the discussion rolling.
This is just me thinking aloud, nothing solid or set in stone here, there are a number of things related to this that I've removed as unrelated.
Regardless of how it's implemented, this is something that I've talked with various people over the years multiple times, many plugins/themes get next to no reviews, which negatively affects WordPress.org's ability to use review data for ranking/search/sorting/highlighting purposes.
We could also benefit from it for things like Blocks, Patterns, and Photos shown directly within the editor where we'll unfortunately need a way to allow someone to flag/report items directly from their editor instance, even if they don't have a WordPress.org account.
There are a number of ways we could offer this including:
Now that I think about it more, the final option there is probably the most ideal for a review, while the second is probably the best for a "flag this item" action.
We have some flags we can use here, not all of which will be super helpful..