[RFC] Contact Event Organisers Endpoint

[Scott Wilcox]

Hello,

Firstly, for those who don't know me I'm a PHP developer based in Newcastle under Lyme, Staffordshire. I'm also @ssx on Twitter and I've spoken to many of you at some point or another.

Secondly, I've recently started to do a lot of support work for code of conduct related things and one of them is in the process of being written now. The system will allow conference attendees to anonymously report issues or problems that have occurred at a conference back to the organisers so that they can investigate and deal with it appropriately. Not too many people are comfortable with straight up approaching event organisers to highlight an issue but we're all comfortable completing a form - especially when its anonymously.

This is currently planned out to be a manual process which as you can imagine will take up a lot of time. One of the things I've looked at is using the joind.in API to POST a message/email back to event organisers without having to disclose their contact details. I believe this would be useful not only for my own project but the wider API userbase too.

I discussed this with Lorna and Rob earlier a little, but it comes down to a few ways of implementing this:

1) Expose organiser contact details via the API (we pretty much all agreed this would be bad)
2) Add an endpoint to POST a message back to event organisers
3) Add anonymous comments back in to web2 and use those

At the moment, I think #2 is a good solution and I'm happy to implement this myself, before doing so I'd like to hear your thoughts and views on the matter.

Thanks for your time.

Scott.

[Lorna Mitchell]

We're not very good at mailing lists, are we? :)

Scott - you discussed this with me already, and I am in favour of having a way to contact the organisers of an event via the API.  We should probably think about the URL structure of the endpoints for something so much like a verb.

I'll open the bidding with:

POST /events/42/messages

We'll send the email when we receive the request, we need to allow anonymous sending, but probably make that an option so that people can contact the organisers and allow them to get back in touch?  Do we need to log the messages, anyone?

Lorna

--
You received this message because you are subscribed to the Google Groups "joindin-developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joindin-develop...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Lorna Mitchell
http://lornajane.net

[Scott Wilcox]

Hi Lorna,

I've waited longer for replies on a few lists! :p

Michelle (geekie) came up with an interesting suggestion of adding a
type to the comments table and just using the existing mechanisms in
place with a new type for this, we could hide them on the frontend and
only show to event organisers, how do you feel about that?

Both are viable in my opinion, but using the existing comment system
(we'd have to reimplement anon comments though) seems a good idea.

Scott.

[Lorna Mitchell]

Scott

I'm happy for others to chime inon this but I think this is a new feature, to reach out to the organisers is functionality we don't already have.  Bolting it on to comments will actually be more difficult, because then we've got to filter it back out everywhere that we display comments - and I'm not really comfortable with the possible repercussions if we screw that up at all, ever.

I'd also like us to have anonymous commenting again, but we haven't figured out the issues around spam, reporting and rate-limiting, which are all part of that feature.

Hope that helps.

Lorna

[Scott Wilcox]

Certainly does!

I got it fleshed out last night, should have it ready to test this evening. 

Went with your suggested endpoint of too.

Scott.

Sent from my iPhone

[James Titcumb]

+1 this feature, even as UG organiser. I still would like to receive feedback, especially if there are any issues, and if reporting anonymously makes that more likely then I am strongly in favour of this. Of course, it is probably down to the event organisers to publicise this feature, but it is a good thing to have.

I see Lorna's point about adding it in the usual comments stream - I agree, that would be terrible if a mistake was to happen & if other services hook into the API, how can you be sure they are filtering out the "private" messages and so on.

Nice idea Scott! :)

Thanks
James

[Scott Wilcox]

Thanks for the feedback folks.

I've got an initial implementation written at:

https://github.com/ssx/joindin-api/compare/new_feedback_endpoint

Take a look, take it for a spin and let me know what you think.

Scott.

[James Titcumb]

Hi Scott

Just a quick one, I can't comment on the change as I'm on my mobile or something, but L120 introduces a vulnerability. If $request->url_elements[4] is NOT set (and I don't know if that is possible, but with security you should always assume it IS possible) then you will be bypassing the unauthorised exception.

I think the logic should be more like:

if (not set || (is set && not "messages"))
    throw exception

I'll take a proper look later at the rest of the change :)

Thanks
James

[Scott Wilcox]

Hi James,

That's a great spot. I've updated the if() in that block to handle
that not being present, commit at:

https://github.com/ssx/joindin-api/commit/4aa5a165dafd787a9353b46a72e14cb1c24cbb86

Scott.