I'm hoping to start a discussion into the next phases of improving
user notes and php.net in general.

So far since the discussion on improving user notes I've implemented a
few improvements including: voting, flagging, and sorting user notes.
For some background on the discussion see
https://wiki.php.net/ideas/usercomments#new_user_notes_features

The code can be found here
https://github.com/srgoogleguy/web-php/commit/320a3db027ceb5ed25dda8da53b2b0f2f316c18d

The limitations of this implementation are that users are still not
held accountable for their contributions whether by submitting new
notes, voting on existing notes, or flagging other users' notes. It's
my understanding that a site-wide authentication system for php.net
was discussed in the past with OAuth 2.0 being a primary candidate.
Offering authentication can help limit both abuse of these new user
notes features and provide incentive for contribution.

Currently the existing code relies on master.php.net to store the IP
address of the client voting on a note and thus allowing us to limit
votes to 1 per note, per IP, per day. Not really the greatest way to
prevent abuse, but it's the only reasonable way I can see to do it
now. The SQL for the new tables that need to go into master can be
found here: http://php.sheriframadan.com/master/master-db.sql.txt

There would need to be two additional scripts added to
master.php.net/entry for voting and flagging, that will handle the
database and email work. Additionally, there needs to be one more
script on master updated, which is the script that generates the note
files populated on the mirrors through rsync. This just appends the
additional vote data onto the end of the note files. The rest is
handled by the mirrors in the commit above.

To next step is to get OAuth 2.0 working so that we can control user
notes contributions more tightly. The problem is this requires a
heavier load on master.php.net which means we have to store tokens in
the master db. Additionally there's the question of how much
work/trust can we put into the mirrors for handling the authentication
process? Do we direct everything to master or should the individual
mirrors be accountable for the authentication? There are some security
concerns there, but I'm not sure what the best approach is. If anyone
is interested in helping out weed these issues and offer any
assistance that'll be great.

Reply via email to