Role bot review - August 3, 2023 - Githubissues

Joystream / discord-bot

Joystream Discord Bots

GNU General Public License v3.0

0 stars 4 forks source link

Role bot review - August 3, 2023 #16

Closed mochet closed 9 months ago

mochet commented 1 year ago

See below link: https://github.com/Joystream/discord-bot/issues/16#issuecomment-1663680116

Problem

I cannot claim my membership.

The bot asks for the root account which shouldn't be done because this account should be kept in cold storage. The root account is very much not appropriate for this kind of activity. The root account is capable of changing the controller account and although not every user uses this level of security it is not a good idea to depend on people having to use their root account for this kind of activity.
controller account is also inappropriate because one controller account can be tied to multiple member handles
The bot should prompt for the Joystream membership handle and then the user should be asked to sign using their controller address
The bot does not explain how to submit /solve, the prompts should reference this. The only way I understood to do this was seeing other users in the server do so.

Notes

/claim
- Asks for root account--this should ask for controller account as root account is typically kept in cold storage.
- Bot replies with Go to this URL [https://polkadot.js.org/apps/?rpc=wss://rpc.joystream.org:9944#/signing](https://polkadot.js.org/apps/?rpc=wss://rpc.joystream.org:9944#/signing "https://polkadot.js.org/apps/?rpc=wss://rpc.joystream.org:9944#/signing") and sign the following data with the given account. Zb0mbbk7RG
  - I do this action and it doesn't explain where to put the signed data on Discord. Replying to the bot or just pasting it in chat does not do anything.
  - If I /claim with the signed data the bot appears to get stuck thinking for a long time/crashes.
- Changes needed
  - Instructions to user must be far clearer--"Use /solve to submit your signed data". The bot currently doesn't explain how to do this step.
  - /claim takes any input, it should validate an address
  - /claim should be asking for membership controller address and not root address (!).
    - It should really prompt for the member handle and then ask them to sign using the controller address.
  - How does bot deal with an address that has multiple memberships attached to it?

mochet commented 1 year ago

Ok so after a call today to discuss this the bot doesn't need any /claim or /solve action at all. It should just look at the profile metadata on-chain and assign roles to the Discord username specified there. If more than one Joystream profile claims a Discord username it should assign roles to both.

This is because to get any role (council member, storage worker etc) on-chain is a privilege already, there is no way for a random user to really abuse this because the Joystream handle is the one that gets given roles, not the Discord handle.