Bulk user account management tool for directed editing teams

[bhousel]

This is a followup issue from #1822

I am proposing to add a bulk user account management tool for directed editing teams

If we add a dedicated Director role per #1822, those users would benefit from having a bulk user management tool. For example, a teacher running a class might want to create directee accounts for a dozen students at once. When the class is concluded, she might want to delete all those accounts, or convert them to normal accounts. Similar concerns exist for paid mapping teams.

I realize that bypassing the existing signup flow for directee accounts would require a more thorough review (we should check with the LWG for guidance here too), and building a tool like this would be more work than simply adding the roles. This is why I split this specific request off from #1822 into its own issue for separate discussion. Thanks!

---

Background: I worked with TeachOSM recently on an event in which we trained geography teachers how to use OSM. Several of the teachers have already incorporated OSM into their curricula, and provided helpful feedback on ways that we can support them. This is one of a few related issues for discussion based on this feedback. Thanks!
cc @nualacowan @geomantic

[tomhughes]

I think this will be a huge legal problem, as a director probably can't assent to the contributor terms on behalf of other people.

There's also the question of how email validation would work.

Finally, given there is a sort of plan to rework signup and login using a standard framework I would be reluctant to complicate that side of things any further before that happens.

[gravitystorm]

We might be able to do something around "invitations" - so a Director could invite a list of email addresses. The individuals would be able to sign up using links in those invitations, following the normal signup flow (and contributor terms acceptance) and yet still automatically become Directees in the correct organisation.

[tomhughes]

Yes I think it would likely have to be something like that.

Even then it's likely to be quite tricky to implement as things stand, as our signup flow is baroque and very fragile so touching it in any way tends to be high risk.

[gravitystorm]

Even then it's likely to be quite tricky to implement as things stand, as our signup flow is baroque and very fragile so touching it in any way tends to be high risk.

Oh, I'd definitely like to do this kind of thing after moving to Devise - there's plenty of plugins and as you say it'll be more straightforward to implement. But for now we can sketch out the concepts and see if they're workable.

[simonpoole]

Some more comments in https://github.com/openstreetmap/openstreetmap-website/issues/1822 but we will need any contributor to agree to the CTs, view the privacy policy (GDPR related change) and likely agree to API and website terms of use (that don't exist yet). That doesn't meant that there couldn't be special versions of the later for specific groups, but I don't see a way we can get around the individual agreement to the CTs as it concerns individual rights.

[bhousel]

Oh, I'd definitely like to do this kind of thing after moving to Devise - there's plenty of plugins and as you say it'll be more straightforward to implement. But for now we can sketch out the concepts and see if they're workable.

@gravitystorm Is the Devise gem refactor work ticketed? Is it something we can put something on at an upcoming hackathon event, or something I can just help out with? I built a Rails site many years ago back in the 2.x days that used Devise and I thought it was wonderful to work with.

[gravitystorm]

@gravitystorm Is the Devise gem refactor work ticketed

Not yet, at least not explicitly. Some preparation work has been done already (e.g. moving to current_user for the logged in user) and it's been mentioned in a few tickets as something we would like to do. I've been wary of putting in too many tickets marked "future" or that are blocked by other work, since we have plenty of open tickets already!

Is it something we can put something on at an upcoming hackathon event, or something I can just help out with? I built a Rails site many years ago back in the 2.x days that used Devise and I thought it was wonderful to work with.

Great! I think it will be hard to do in a Hackathon event, since I don't think it'll be just one PR. It'll involve lots of different changes to routes, thought given to things like our customised password hashing and signup acls, and slightly more standard things like having multistage signup (e.g. needing to view terms on a separate page) that will either be out-of-the-box or at least more likely to have existing devise plugins.

It would be great to have this work started, at a Hackathon or otherwise. I would approach it the same way as I've approached the auth framework problem - have a stab at it to get a better understanding of the groundwork required, then spread that groundwork over multiple PRs if necessary.

[tykayn]

any news on the group and managed account feature since 2018 ?

[simonpoole]

In September 2018 the OSMF board put the ToU in place that didn't exist at the time of the above discussion, in particular these clarify how and if minors can use the website https://wiki.osmfoundation.org/wiki/Terms_of_Use

The positive thing is: since then there is a framework on what account features can be used (and only those should be available to such accounts) and what the age restrictions are. The negative: in practical technical terms there is no support for such accounts.