search

mysociety / alaveteli

Provide a Freedom of Information request system for your jurisdiction
https://alaveteli.org
Other
385 stars 195 forks source link

Prevent setting an entire request to `hidden` prominence from the admin interface #7213

Closed WilliamWDTK closed 1 year ago

WilliamWDTK commented 1 year ago

This ensures that requesters still have access to at least know the existence of their request. Individual messages can still be hidden from the requester as needed.

mdeuk commented 1 year ago

This ensures that requesters still have access to at least know the existence of their request. Individual messages can still be hidden from the requester as needed.

Excellent suggestion. There are rare edge cases where we will need to hide everything, including the subject heading of a request - but IMO, for the most part, setting individual elements of correspondence to hidden / requester_only would be a useful transparency improvement.

WilliamWDTK commented 1 year ago

This ensures that requesters still have access to at least know the existence of their request. Individual messages can still be hidden from the requester as needed.

Excellent suggestion. There are rare edge cases where we will need to hide everything, including the subject heading of a request - but IMO, for the most part, setting individual elements of correspondence to hidden / requester_only would be a useful transparency improvement.

Indeed, and what I did think of mentioning was that we could still do so via some harder-to-reach method. Getting the developers to use the console to hide a whole request is one way, though not ideal. There might be another way. I think whatever the way is, it must force some element of consideration of necessity by not allowing a single individual to instantly hide an entire request (remove one or two of those factors: >1 admin or longer than instant (helped by #7214)).

garethrees commented 1 year ago

There are rare edge cases where we will need to hide everything

Here's some quick stats on that:

InfoRequest.where(prominence: 'hidden').count
# => 1898

InfoRequest.where(prominence: 'hidden').group("TO_CHAR(info_requests.created_at, 'YYYY')").count
# => { "2009" => 10,
# =>   "2010" => 3,
# =>   "2011" => 68,
# =>   "2012" => 10,
# =>   "2013" => 12,
# =>   "2014" => 21,
# =>   "2015" => 29,
# =>   "2016" => 842,
# =>   "2017" => 145,
# =>   "2018" => 503,
# =>   "2019" => 133,
# =>   "2020" => 20,
# =>   "2021" => 9,
# =>   "2022" => 93 }
garethrees commented 1 year ago

I don't think we'll do this in code. It's helpful for all prominence-related functionality to work the same, and other Alavetelis may make more use of "hidden" than we do.

We do have occasions where we want to use this – even if only temporarily – and https://github.com/mysociety/alaveteli/issues/7214 seems like a good way to give requesters some info now that we have https://github.com/mysociety/alaveteli/issues/6746.

We can minimise our own use of fully hidden content through policy.