I'm hoping to start a discussion into the next phases of improving user notes and php.net in general.
So far since the discussion on improving user notes I've implemented a few improvements including: voting, flagging, and sorting user notes. For some background on the discussion see https://wiki.php.net/ideas/usercomments#new_user_notes_features The code can be found here https://github.com/srgoogleguy/web-php/commit/320a3db027ceb5ed25dda8da53b2b0f2f316c18d The limitations of this implementation are that users are still not held accountable for their contributions whether by submitting new notes, voting on existing notes, or flagging other users' notes. It's my understanding that a site-wide authentication system for php.net was discussed in the past with OAuth 2.0 being a primary candidate. Offering authentication can help limit both abuse of these new user notes features and provide incentive for contribution. Currently the existing code relies on master.php.net to store the IP address of the client voting on a note and thus allowing us to limit votes to 1 per note, per IP, per day. Not really the greatest way to prevent abuse, but it's the only reasonable way I can see to do it now. The SQL for the new tables that need to go into master can be found here: http://php.sheriframadan.com/master/master-db.sql.txt There would need to be two additional scripts added to master.php.net/entry for voting and flagging, that will handle the database and email work. Additionally, there needs to be one more script on master updated, which is the script that generates the note files populated on the mirrors through rsync. This just appends the additional vote data onto the end of the note files. The rest is handled by the mirrors in the commit above. To next step is to get OAuth 2.0 working so that we can control user notes contributions more tightly. The problem is this requires a heavier load on master.php.net which means we have to store tokens in the master db. Additionally there's the question of how much work/trust can we put into the mirrors for handling the authentication process? Do we direct everything to master or should the individual mirrors be accountable for the authentication? There are some security concerns there, but I'm not sure what the best approach is. If anyone is interested in helping out weed these issues and offer any assistance that'll be great.
