iD doesn't handle blocked user accounts gracefully

[simonpoole]

iD should display the error text returned by the API when a user is blocked or give to the point feedback in another way.

Now normally the user has logged in and seen the block text before being able to edit, however

• if the block is applied while the user is logged in
• or the user is not using the iD instance deployed on openstreetmap.org

trying to save edits on a blocked account will start the OAuth handshake on my dev server (I can't test against production obviously), which will then fail with 'No route matches [GET] "/land.html"' from rails.

Mentioning @tomhughes because of the rails behaviour.

[bhousel]

Is this the same as #3846 ?

[bhousel]

'No route matches [GET] "/land.html"' from rails.

Oh yeah, I think I need to add a land.html on the rails side.

[simonpoole]

@bhousel arghh I hate github search, yes basically it is the same as https://github.com/openstreetmap/iD/issues/3846 with the added issue of the rails error which I believe didn't happen before.

[tomhughes]

Err really. I'm not sure about adding random HTML pages... What exactly is the process here?

[simonpoole]

• User X logins
• X is blocked (while logged in)
• X tries to saves edits and gets the OAuth authorisation popup/whatever
• X authorizes iD and then gets the above mentioned rails error

[tomhughes]

Yes I understand that bit. What I don't understand is what land.html is or why iD is trying to load it or what it's going to do with it or what should(?) be in it.

[bhousel]

What I don't understand is what land.html is or why iD is trying to load it or what it's going to do with it or what should(?) be in it.

@tomhughes It's just a page that OAuth returns to in order to finish storing its secrets. You can see it here: https://github.com/openstreetmap/iD/blob/master/dist/land.html

We probably never added this to the rails site because all those users come to iD preauthenticated. The only reason an iD user would ever need to do OAuth on openstreetmap.org would be if their auth tokens are revoked or they are blocked while they are logged in doing something.

In this situation, what happens right now is that the user tries to save, gets asked to reauth, and then gets pushed to a nonexistent page - I agree with @simonpoole that we should handle this better.

[tomhughes]

Oh we should certainly handle it better I'm just trying to understand what that means ;-)

I mean obviously we can create that page (though I'd prefer a better name) but the question is what we should show there given I'm assuming it isn't told about any error from the API. In any case it would be nicer if they weren't ejected from iD to a static page.

[simonpoole]

@bhousel just to avoid you wondering about this: there is no obvious way for a logged in user that has been blocked to know that that has occurred and to unblock (assuming it is a zero hour block), the user needs to go to their profile, to the list of blocks and view the active block, or explicitly log out and log in again. Likely the current most user friendly thing you could do right now is to link to the block list from a popup in iD.

[bhousel]

@bhousel just to avoid you wondering about this: there is no obvious way for a logged in user that has been blocked to know that that has occurred and to unblock (assuming it is a zero hour block), the user needs to go to their profile, to the list of blocks and view the active block,

Good to know! We are already fetching the user's profile to do things like show their avatar and include their changesets_count in the changeset tag.

An odd potential Catch-22 though: In a future GDPR'd version of the API, we might not be able to fetch the user's profile and know about the block unless they have logged in, and we may not be able to log them in unless they resolve the block. 🤔 someone smarter than me should figure out how this will work.

[mmd-osm]

@simonpoole :

there is no obvious way for a logged in user that has been blocked to know that that has occurred and to unblock (assuming it is a zero hour block), the user needs to go to their profile,

http://{your rails port here}/api/0.6/user/details returns a nice error message telling you that "Your access to the API has been blocked. Please log-in to the web interface to find out more.". Seems to work with Basic Auth, even if the user has been blocked in the meantime, ~OAuth may also work, but I haven't tested it.~ OAuth also works.

JOSM frequently polls this URL to find out if a user has some new messages, though it fails to handle the "blocked user" error case and just prints some random stack trace on the console without giving the user any further hint as to what's going on.

2019-05-15 20:40:11.005 INFO: GET http://localhost:3000/api/0.6/user/details (...) -> 403
2019-05-15 20:40:11.007 WARNING: org.openstreetmap.josm.io.OsmApiException: ResponseCode=403, Error Header=<Your access to the API has been blocked. Please log-in to the web interface to find out more.>
org.openstreetmap.josm.io.OsmApiException: ResponseCode=403, Error Header=<Your access to the API has been blocked. Please log-in to the web interface to find out more.>
    at org.openstreetmap.josm.io.OsmServerReader.getInputStreamRaw(OsmServerReader.java:213)
    at org.openstreetmap.josm.io.OsmServerReader.getInputStreamRaw(OsmServerReader.java:137)
    at org.openstreetmap.josm.io.OsmServerReader.getInputStreamRaw(OsmServerReader.java:121)
    at org.openstreetmap.josm.io.OsmServerReader.getInputStream(OsmServerReader.java:85)
    at org.openstreetmap.josm.io.OsmServerReader.fetchData(OsmServerReader.java:421)
    at org.openstreetmap.josm.io.OsmServerUserInfoReader.fetchUserInfo(OsmServerUserInfoReader.java:170)

Follow up issue on JOSM bug tracker: https://josm.openstreetmap.de/ticket/17722

iD also seems to call that endpoint initially. I'm not sure, if there's some similar feature to find out about new messages. Extracting the "you've been blocked" error message doesn't seem to be in place either.

[grischard]

Let me know if you create a test user that you'd like to be blocked.

[don-vip]

Can you please block https://www.openstreetmap.org/user/josmdev/ ?

[simonpoole]

Can you please block https://www.openstreetmap.org/user/josmdev/ ?

I'm slightly surprised that we (well I have my own rails-port instance, so it is more a rhetorical "we" :-)) are using the production website for this, I suspect that there would be no big problem in giving bona fide editor developers the privileges on the sandbox, or if that is not possible we (this time not rhetorical) can simply run one were this is possible.

[pnorman]

Moderator privileges on master.apis.dev.openstreetmap.org are easier to give out, so if you want to do tests with different kind of blocks, blocks happening at different parts of the editing workflow, etc, that is the best place to do so, rather than the live API

[grischard]

Yup, the sandbox is the best place to do it. User josmdev has, in any case, been blocked.

[quincylvania]

I added this notice to the v3 assistant when you launch iD and are logged in with an active block. The Details link goes to the /blocks page under their account.

iD still needs to handle this kind of info upon logging in after the fact and trying to upload.

[SomeoneElseOSM]

I'm not seeing any message when I launch iD on the live osm.org site and the user is blocked - I guess that the change mentioned earlier hasn't been released there yet? What I do also get is the following, if the user is already editing:

In browser A, as SomeoneElse2, enter edit mode

In browser B, as SomeoneElse, block SomeoneElse2 https://www.openstreetmap.org/user_blocks/3667 (0-hour, must read before continuing)

In browser A, add a feature in iD Save

Errors occurred while trying to save You have an urgent message on the OpenStreetMap web site. You need to read the message before you will be able to save your edits. OK

"You have an urgent message..." is hyperlinked to "https://www.openstreetmap.org/id#"

Click OK Only on-screen options are "cancel" and "upload" at this point. Click upload again

An Oauth2 request "Authorise access to your account" appears for "The application iD"

Click "Grant Access"

"File not found Couldn't find a file/directory/API operation by that name on the OpenStreetMap server (HTTP 404)

Feel free to contact the OpenStreetMap community if you have found a broken link / bug. Make a note of the exact URL of your request."

("contact" is hyperlinked to "http://wiki.openstreetmap.org/wiki/Contact")

At this point any attempt to save in iD seems to fail, even if I read the 0-hour block message in a different browser tab.

What I actually need to do is to Cancel the upload Click "OpenStreetMap" to leave the editor logout and login again. The 0-hour block message appears Select "Edit" again Make the changes again manually (unfortunately iD didn't detect always detect my previously unapplied changes)

If the "You have an urgent message..." message said "you need to logout and login again" then users would know what they need to do. Obviously the Oauth message (discussed in detail above) is still an issue. See also https://github.com/openstreetmap/openstreetmap-website/issues/2611 (similar issue but for the Notes UI on the website).