An app for managing bans

[IonicaBizau]

There was a discussion in the moderation repo about managing the bans (reminders etc).

I proposed that if needed, I can help in building an app to (un)block users, set reminders, maybe later automatically detect bad behaviours etc.

GitHub API supports organization ban related CRUD operations, but as @ChALkeR and @ryanmurakami pointed out, we have to figure out what are the security implications (e.g. @ChALkeR noticed that such operations need the admin:org scope which is quite powerful).

I opened this issue for discussion. I worked with GitHub API in the past and help if needed, maybe I can help. 🍀

[joyeecheung]

@IonicaBizau Glad that you are reaching out and want to help building an app!

I believe the moderation team members are now owners of the org as well, so the permission should not be an issue if they are the only users of that app - in fact I think we have to make them owners precisely because we don't have an app (or bot) that handles the actual operation.

You can use https://github.com/TestOrgPleaseIgnore to test out the app. I can send you an invitation if you want to use it. When the app is ready, we can just switch whatever settings necessary so that it can start working in this organization.

cc @nodejs/moderation for what the app needs, and @nodejs/build for what we need to deploy it for this organization.

[ryanmurakami]

@IonicaBizau Thanks for getting this started! One aspect I was thinking of was security, because if the app is given a key that can block users, then access to the app needs to be authenticated as well. The Moderation Team has a Slack channel that we use for communication. I'm curious if the app/bot could be built as a Slack bot and we'd rely on the private Slack channel as the security? I'm not familiar enough with how Slack operates to know if that would be secure enough.

[IonicaBizau]

@ryanmurakami I've never build a Slack bot, but I guess it shouldn't be complicated.

As far I understand, the app would be deployed somewhere and connect to the GitHub API endpoints. On given commands, Slack would make requests to the app.

Wouldn't it be easy to have OAuth authentication directly in the app and rely on GitHub for permissions (e.g. a user without privileges, will obviously not have access to (un)block users)?

To know the context:

• What are the current manual tasks moderators need to do?
• How similar are these, compared to other organizations (let's say, for example, the GitHub Electron team)?
• What are the current GitHub limitations why such an app would be needed? I understood that one of them is to set a reminder to review the banned users after an amount of days.
• Didn't somebody else build something like this already? What similar tools are there?

[phillipj]

Didn't somebody else build something like this already?

https://github.com/williamkapke/orgbot

Remember some discussions about using that bot, but I don't recall which repo / issues those discussions were in.

[gibfahn]

Sounds great, but there is already a bot, called orgbot, written by @williamkapke , see e.g. https://github.com/nodejs/community-committee/issues/22 and https://github.com/nodejs/TSC/issues/51.

The problem is in getting people to try it. Using it in the test org probably makes sense to try it.

[ChALkeR]

@ryanmurakami

a key that can block users

Due to GitHub limitations, that's not just a key that can block users, afaik. That's a token that can «Fully manage organization, teams, and memberships», e.g.:

1. Block users
2. Add/remove members to the org
3. Add/remove teams to the org
4. Add/remove admins to the org

I'm pretty much -1 on issuing such a token and adding it to a publically-available app, even if that app will implement some authentication mechanism, until @github implements a better permissions model.

[benjamingr]

Oh hey @IonicaBizau fancy seeing you here :) Thanks for picking this up, the moderation team would love to work with you in order to help automate the tasks the moderation team performs.

I recommend we create an automation room in the nodejs-moderation slack and add @IonicaBizau as a room-member (as well as other interested parties).

[Trott]

Unarchived this repo so I could close all the PRs and issues. Will re-archive when I'm done.