Better handle email_verification and its integration with ACL

[wmcclin]

About 10 people who had been assigned to the MSP Working Group forum could not actually see the forum. I had to make the forum public. It's possible (but I haven't verified this) that the individuals that could see the forum were ones that I had invited to the project, assigned them Working Group access and sent an invitation to which they responded. The others may have signed up on their own (e.g. not following the link that was sent to them) and afterward, I assigned them to the Working Group group.

In any case, the forum is now public and I would like to have the option to make it writable by the Working Group and readable by the Public.

[wmcclin]

For one person that this happened to, they were able to delete the "network" (collection) folder that the copied shape came in. Then, the ghosted shape disappeared. For Emily (above), deleting the network and the shape in her Sketches tab did not do the trick. It is persistent and won't disappear from her screen.

Emily says that when copying the shape from the forum, she did it twice. The first time when she copied the shape, it didn't appear in her Sketching tab. So, she went back and copied it again. So, it appears that there were actually two copies - one that showed up in her Sketching tab, and one that did not. She is unable to delete the one that doesn't appear in her sketching tab but DOES appear on screen.

[wmcclin]

Emily deleted all of her shapes, turned off all of them in the forum, and the ghost shape continues to appear on her map. Emily broke SeaSketch.

[underbluewaters]

Some of these comments are from another issue. I’ll pull them over later.

Do you have any names for those who can’t access the forum?

[wmcclin]

They can all view them now. --Will McClintockNational Center for Ecological Analysis and SynthesisUniversity of California Santa Barbara, CA 93101On Jan 24, 2023, at 12:34 PM, Chad Burt @.***> wrote: Some of these comments are from another issue. I’ll pull them over later. Do you have any names for those who can’t access the forum?

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

[wmcclin]

I take it back. When I change permissions to the MSP Working Group Forum so that only the MSP Working Group group can view or write to it, the following users (who are part of the MSP Working Group group) can no longer see the forum:

Nicole Yamase: nhyamase@gmail.com Juan Mayorga: juanmayorga@ucsb.edu Vanessa Fread: vfread@rd.gov.fm Skiis Dewey: skiisdewey@gmail.com

[underbluewaters]

The root of the problem here is email verification. SeaSketch Next is a lot more secure, in that it checks to see if a user has verified their email address before giving permission to access protected resources. This way someone can't just create an account impersonating well-known-person@agency.gov and get access to a project or forum. This has a couple big problems:

1. There can be some latency between verifying an email and actually getting the permission. The code for fetching updated information is tricky to get right and involves a 3rd party (auth0) so can be slow. It's a very hot code path so I have to do some caching to make it efficient, and that makes it trickier. I think that's what happened here.
2. The UI is bad. Due to the implementation, there's no way to know something exists that you have no access to, so I can't show any message telling the user to verify their email.

I'm just going to disable this security measure for now. In the future I think I will expose the verified_email status on users in the admin console and let project administrators decide for themselves whether they trust a user. I'm going to keep this issue open to think about better options in the future.

[underbluewaters]

Commit with changes: https://github.com/seasketch/next/commit/0a828391537c1b68398087ece076f873442a5b82

[underbluewaters]

Related to #573