Make articles from a user with `spam` role inaccessible about forem HOT 7 CLOSED

Thanks for the issue, we will take it into consideration! Our team of engineers is busy working on many types of features, please give us time to get back to you.

To our amazing contributors: issues labeled bug are always up for grabs, but for feature requests, please wait until we add a ready for dev before starting to work on it.

If this is a feature request from an external contributor (not core team at Forem), please close the issue and re-post via GitHub Discussions.

To claim an issue to work on, please leave a comment. If you've claimed the issue and need help, please ping @forem-team. The OSS Community Manager or the engineers on OSS rotation will follow up.

For full info on how to contribute, please check out our contributors guide.

from forem.

I did a bit more research on the issue and given that some work was done in #20498 (assign negative score on spammer'a articles). So, I suppose that I'm going to rely on score and make sure that articles with negative score don't appear in feeds and search. There are checks like .where("score >= 0") or with_at_least_home_feed_minimum_score in some places, but we need to make sure that articles with negative score don't appear somewhere.

I considered unpublishing, but it will make unsuspending harder, and in general seems like misusing published field.
Filtering my the author's role explicitly will be inefficient in feeds/search, so is not an optimal solution as well.

from forem.

@lightalloy yeah, on a place-by-place basis, sometimes 0 should be the threshold and sometimes minimum feed score. I think it depends on the place.

I actually think we're reasonably well covered in "feed" contexts, but we can seek to find more.

In order to make articles and users with spam role less accessible, I think one move would be to 404 the landing pages (at least for signed out) — this would ensure that.

In general I think we should avoid using unpublishing, and instead modify score and call not_found on the landing page themselves. Therefore if we need to remove the spam role things effectively go back to where they were without having to manage a bunch of complicated state — we try and make everything flow down-hill from the spam role being present.

Maybe it makes sense to add downstream logic little by little in small PRs so that you can make a judgment call as needed and we can evaluate a change in the PR itself?

from forem.

@benhalpern Agree on not unpublishing, I have abandoned this idea after considering it 🌚

I wanted to create a small pr for 404 article pages but then realized that it will be misleading if we still have articles in feeds but return 404. After the research I see that most cases are covered, so I may still want to create this pr first.

from forem.

@lightalloy I think creating the PR for the 404 is the right next step. In general we want to minimize the chance of someone clicking a link elsewhere in the product to get a 404 page, but I think we're likely covered here and would only have edge cases remaining.

from forem.

So, I found out that articles with negative score can be displayed on pages like top by timeframe (/top/week, /top/month) and tag pages by timeframe: (/t/tagname/top/year).
It's not very likely for them to appear on dev.to because of the large number of articles, though possible, especially on tag pages with less popular tags.
So I would add a threshold there. Latest has a -20 threshold

from forem.

Yeah @lightalloy that makes sense

from forem.