contributorcovenant / beacon Goto Github PK

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

We need to track a given account's reputation.

Desired solution

Create a reputation system for accounts. Reputation is influenced by:

• Number of dismissed reports over a given threshold
• Incidence of 404 and 302 errors triggered (indicates suspicious activity)
• Traffic origin (Tor exit nodes and proxies)
• Account hits a maximum limit for certain activities (# submitted reports, # abuse reports submitted for example)? Not sure on this one.
• Other factors?

Disable all access to pages using a before action in application controller?

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Project owners will want to see aggregate statistics on issue satisfaction for their projects.

Desired solution

Display aggregate satisfaction ratings from reporters and respondents on the moderator's project dashboard.

Is your feature request related to a problem? Please describe.

Email is currently sent synchronously, as part of the request-response cycle.

Desired solution

Move email delivery to a background job.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Description of the bug

Links within the footer don't have enough contrast, per WCAG 2.1 AA guidelines. This was determined using Axe and can be verified using any color contrast checking tool, such as the WebAIM color contrast checker.

Footer links have a contrast of 3.23 currently. The expected contrast ratio for text of this size is 4.5.

Expected behavior

The colors of these elements should be updated to have more contrast. Alternatively, a bolder font or larger font size could be used, but I'd recommend updating the colors themselves. This is a necessary accessibility improvement for people with disabilities (such as color blindness and low-vision).

Screenshots

This applies to the orange link text against dark blue:

The watermark service is using an md5 hash on the viewing’s user email address.

An attacker who saw an image with the watermark could calculate what the watermark would look like on a list of known email addresses. Thus revealing the target user email address when there is a match (e.g. rainbow table with md5)

The list of target users is potentially quite small (participants of a project). It could be done in a resonable time even on larger projects.

_{Sent with GitHawk}

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Some organizations may have a lot of projects in their GitLab portfolio, and adding them one at a time is not an optimal workflow.

Desired solution

Organization owners should be able to authenticate with GitLab and import their public projects, applying org-scoped preset configurations.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Should imported projects require approval by Beacon admins?

Directory should be searchable, and have alphabetic pagination.

Hello! I am very intrigued by this (in progress) software. Is there anything that you can share with me about the software to-be?

Need to brainstorm the onboarding flow for events, and pricing model for large events.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Desired solution

A clear and concise description of what you want to happen.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Security is paramount.

Desired solution

Have an expert perform a security audit of Beacon.

Describe alternatives you've considered

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Beacon may need to comply with GDPR requirements.

Desired solution

Someone with knowledge of GDPR requirements should audit Beacon and determine what would need to be done to comply with requests for personal information reporting or deletion.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Bad actors might create projects in Beacon that they do not actually own.

Desired solution

Require placing a token in a designated place based on the URL of the project. The presence of this file and its contents will be verified before a project can be made public.

Additional context

The token and its instructions are already present in project setup; what's missing is the verification step. Note that if the project's URL changes, Beacon will invalidate the token check.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Desired solution

A clear and concise description of what you want to happen.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Description of the bug

Links within the navigation don't have enough contrast, per WCAG 2.1 AA guidelines. This was determined using Axe and can be verified using any color contrast checking tool, such as the WebAIM color contrast checker.

Navigation links have a contrast of 3.33 currently.The expected contrast ratio for text of this size is 4.5.

Expected behavior

The colors of these elements should be updated to have more contrast. Alternatively, a bolder font or larger font size could be used, but I'd recommend updating the colors themselves. This is a necessary accessibility improvement for people with disabilities (such as color blindness and low-vision).

Screenshots

This applies to the dark grey text on light blue:

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Users may want to contact Beacon administrators.

Desired solution

There should be a general-purpose 'Contact' form linked from the navigation bar.

Additional context

The text on the form should make it clear that this form is not for reporting abuse, and provide instructions on how to report abuse.

It also needs a reCaptcha.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Especially when an issue is related to an event, moderators may want to be notified immediately of an issue being opened.

Desired solution

Allow moderators to sign up for SMS notifications on newly opened issues.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Bad actors might create projects with abusive names or descriptions.

Desired solution

Email admins when a new project is created, or when a project's name changes. The subject line should contain the project name, and the body of the email should display the project description and provide a link to the project in the admin interface.

Note that email notifications are not required for projects with an associated organization.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Moderators may want to prevent low-reputation accounts from opening issues.

Desired solution

Give moderators a control to prevent low-reputation accounts from opening issues.

Additional context

Prerequisite: #55

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Desired solution

A clear and concise description of what you want to happen.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Description of the bug

Orange links on blue (for example, on the project directory page ) don't have enough contrast, per WCAG 2.1 AA guidelines. This was determined using Axe and can be verified using any color contrast checking tool, such as the WebAIM color contrast checker.

These links have a contrast of 1.98 currently. The expected contrast ratio for text of this size is 4.5.

Expected behavior

The colors of these elements should be updated to have more contrast. Alternatively, a bolder font or larger font size could be used, but I'd recommend updating the colors themselves. This is a necessary accessibility improvement for people with disabilities (such as color blindness and low-vision).

Screenshots

An instance of this color combo used on the Project Directory page:

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Moderators need a way to establish a consensus plan for moving an issue to 'resolved' or 'dismissed'.

Desired solution

Allow org- or project-level consensus plans. Options may include:

1. designating certain moderators as decision-makers
2. requiring a fixed number of moderators to agree on an issue resolution
3. requiring a ratio of moderators to agree on an issue resolution
4. designating a tie-breaker

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.

Based on user activity stats, alert admins if someone is doing something strange (an action made too many times within a timeframe?)

To Do

• Define anomalies

To secure Beacon against attacks from users trying to anonymize their activities, add environment variable configurations to prevent logins from Tor exit nodes and/or users behind a proxy.

Detecting Tor exit nodes

https://security.stackexchange.com/questions/38498/detecting-tor-proxy-by-reading-request-headers

Detecting general proxies

Check for header: https://en.wikipedia.org/wiki/X-Forwarded-For

To help stem abuse, make 2fa a thing on all sign-ins.

To prevent malicious actors from creating fake projects, projects should be reviewed and approved by a Beacon administrator prior to appearing in the public directory.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Some projects have multiple moderators.

Desired solution

A mechanism by which someone can invite another user to join the project's moderation team.

Additional context

Invitations will be emailed. Invitees may or may not already have an account. Need limits on how many invitations can be sent per project per day to prevent spamming?

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Some users (especially at events) may be accessing Beacon using a mobile device.

Desired solution

Ensure that the interface is optimized for mobile use.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Moderators may have a problem with spammy or abusive issues and need a way to manage this.

Desired solution

Allow moderators to report a reporter as abusive or spammy, and notify Beacon administrators so that they can take action against the bad-faith reporter.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Project moderators should be able to create a template to use when contacting respondents for the first time.

Desired solution

From the moderator's project page, link to a form for creating a respondent contact template. Then, when the moderator uses the form to contact a respondent for the first time, populate the text area with the template.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Bad actors may create a number of projects.

Desired solution

From the admin > accounts page, see a list of all projects associated with an account (the account is a moderator). Create a button to flag all of this account's projects at once.

Dependencies

Depends on #135

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.

Problem

Rather than using token files in a repo, project owners should be able to verify ownership via their GitHub or GitLab credentials.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Description of the bug

Heading levels h1, h3, and h4 are skipped on the project directory page. The headings on the project cards use h5 tags. Also, there is no h1 present on the page.

Expected behavior

h5 titles on the page should be changed to h2 headings. The h2 heading should be changed to h1.

Heading levels should only increase by one on a page, with no heading levels skipped. This is an important accessibility fix for people who use screen readers. Learn more here.

Screenshots

An example of how the heading tags should be updated:

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Currently SMS notifications to project moderators are done as part of the request/response cycle when an issue is opened. This can cause delays and errors.

Desired solution

Set up a background job for SMS notifications.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.

We need to have a way to create organizations that have many projects and many moderators.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Beacon should be accessible to all users, regardless of physical capability or limitations.

Desired solution

An accessibility specialist should review Beacon, and make recommendations or changes to make it fully accessible.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Description of the bug

Orange buttons throughout the site don't have enough contrast, per WCAG 2.1 AA guidelines. This was determined using Axe and can be verified using any color contrast checking tool, such as the WebAIM color contrast checker.

The white text against orange has a contrast ratio of 3.4 curently. The expected contrast ratio for text of this size is 4.5.

Expected behavior

The colors of these elements should be updated to have more contrast. Alternatively, a bolder font or larger font size could be used, but I'd recommend updating the colors themselves. This is a necessary accessibility improvement for people with disabilities (such as color blindness and low-vision).

Screenshots

This applies everywhere that orange buttons are used with white text, for example:

Visible in account admin: overall dashboard + drill down into a user's activities.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Desired solution

A clear and concise description of what you want to happen.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.

Description of the bug

Without me knowing, my computer was making DNS queries to all the servers belonging to email addresses that were validated.

Reproducing the bug

FactoryBot.create(:kate)

Expected behavior

I expect requests to be made to known servers with a good reputation.

Additional context

I initially saw this this because it took ~10s to create an account, while investigating a build failure on account creation.

Solution

Maybe this could be enabled in test / production, also the valid_email2 recommends stubbing the MX records calls in test env: https://github.com/micke/valid_email2#test-environment

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Relations between issues, reporters, and projects are encrypted using a central encryption key. It is a good practice to periodically rotate this encryption key.

Desired solution

Create a rake task that accepts a new and old encryption key, decrypts IDs using the old key, and re-encrypts using the new key.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Reporters may want to exclude certain moderators from acting on their issue, for example if the issue is about that moderator's behavior or if there is a potential conflict of interest.

Desired solution

For projects with moderators displayed, add an option to exclude a moderator on the issue creation form.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Project maintainers already have the ability to block a reporter, but they should also be able to report someone for abusive behavior to the Beacon administrators.

Desired solution

Add a link from the reporter and respondent pages (which can be accessed from the issue show page) to report an account for abuse.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Reporters want to be assured that their issue has been reported to project moderators.

Desired solution

Allow moderators to create an auto-responder email. Provide guidance related to sharing estimated turnaround time. Note that the auto-responder should be available at the org or project level, and Beacon should provide a default that can be customized by moderation teams.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

To prevent spammy or otherwise malicious reporting of issues, moderators may want to require 3rd party verification of reporter accounts.

Desired solution

Add an option to project and organization setup for requiring 3rd party account verification. Determine if the reporter can open an issue based on this aspect of their account.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Description of the bug

Heading levels h2 through h4 are skipped on the homepage. The headings on the homepage cards use h5 tags.

Expected behavior

h5 titles on the homepage should be changed to h2 headings.

Heading levels should only increase by one on a page, with no heading levels skipped. This is an important accessibility fix for people who use screen readers. Learn more here.

Screenshots

An example of an instance of the h5 tag:

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

People browsing the project directory should be able to see a rollup of statistics related to a given project.

Desired solution

Health report showing average time to respond, and overall satisfaction rating across various criteria (#57)

Dependencies

Dependent on #57

Additional context

The reports should reflect a rolling 3-month activity to prevent abuse.

All contributions, including pull requests, issues, and comments, are governed by our code of conduct.

Is your feature request related to a problem? Please describe.

Some organizations may have a lot of projects in their GitHub portfolio, and adding them one at a time is not an optimal workflow.

Desired solution

Organization owners should be able to authenticate with GitHub or GitLab and import a selection of their public projects, applying org-scoped preset configurations.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Should imported projects require approval by Beacon admins?