Skip to content

[ENG-10340] Check for flag#11792

Open
bodintsov wants to merge 9 commits into
CenterForOpenScience:feature/pbs-26-13from
bodintsov:fix/use-account-get-disabled
Open

[ENG-10340] Check for flag#11792
bodintsov wants to merge 9 commits into
CenterForOpenScience:feature/pbs-26-13from
bodintsov:fix/use-account-get-disabled

Conversation

@bodintsov

Copy link
Copy Markdown
Contributor

Ticket

https://openscience.atlassian.net/browse/ENG-10340

Purpose

Fix the user's account getting disabled

Changes

Added a check for the frag in the method

Side Effects

TBD

QE Notes

TBD

CE Notes

TBD

Documentation

TBD

@bodintsov bodintsov force-pushed the fix/use-account-get-disabled branch 2 times, most recently from 26e58cf to 4c6cf27 Compare July 1, 2026 14:13
Comment thread osf/models/validators.py Outdated
return False

text = name_content.lower()
if any(suffix in text for suffix in ['m.sc.', 'msc.', 'phd.', 'ph.d.', 'msc.pt', 'pt.', 'prof.', 'dr.', 'md.', 'jd.', 'esq.']):

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is far too specific and only handles the cases we know of, not the potential future cases. I think we need to adjust the DOMAIN_REGEX to be better (it should grab complete URLs), and also maybe if the domain regex finds something, pass the suspected domain through urllib.parse.urlsplit to see if it has a scheme and a netloc. If it doesn't have both of those, we could probably return false, since it won't link in an email to a location.

@sh-andriy sh-andriy left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bodintsov I agree with @brianjgeiger, the suffix list is just going to rot as new name formats show up. The urlsplit idea (only count it if it parses to a scheme + netloc) is the cleaner, future-proof version.

One thing though: even a perfect regex only fixes the trigger, not the disable itself. Accounts still get disabled with SPAM_ACCOUNT_SUSPENSION_ENABLED off because user.confirm_spam() calls deactivate_account() directly (user.py:1485), skipping both the suspension flag and the is_hammy check that suspend_spam_user has. So the save()confirm_spam() path can still nuke an assumed-ham user. To actually hit the AC (assumed-ham never auto-disabled, manual only, excluded domain → flagged) we need to guard there too, flag instead of confirm_spam for hammy users.

@cslzchen cslzchen force-pushed the feature/pbs-26-13 branch from a29364e to 3308e4e Compare July 5, 2026 15:33
@bodintsov bodintsov force-pushed the fix/use-account-get-disabled branch from f825b0d to 8ca3c5c Compare July 6, 2026 09:19
@bodintsov bodintsov force-pushed the fix/use-account-get-disabled branch from 8ca3c5c to baa5c5f Compare July 6, 2026 09:32
Comment thread osf/models/validators.py Outdated
Comment on lines +126 to +127
if candidate.startswith('www.'):
candidate = f'https://{candidate}'

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no sense checking for parsed.scheme if you're going to add the scheme here. I'm guessing you've added that to handle the case of

        {
            'fullname': 'Judith Sarah',
            'given_name': 'Judith',
            'family_name': 'Preuss',
            'middle_names': 'www.google.com',
            'suffix': 'M.Sc.',
        },

If you're going to do that, we should probably a) not bother checking for parsed.scheme; and b) handle the case of google.com as well as www.google.com.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

google.com and N.Sathesh are both the same for regular expression and urlsplit. It seems not to be possible to at the same time allow for names like that and prohibit URLs without protocol and www

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Harrumph. I was really hoping urlparse would check for valid top level domains. Let's see if we can come up with something better than urlparse for this then. I'll give it some thought.

'given_name': 'Judith',
'family_name': 'Preuss',
'middle_names': 'https://www.google.com',
'suffix': 'M.Sc.',

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this is problematic. M.Sc. is a valid domain name. I'm checking with Product on how we want to try to handle it.

Comment thread osf/models/user.py Outdated
ret = super().save(*args, **kwargs) # must save BEFORE spam check, as user needs guid.

if has_domain and not was_creating:
if has_domain and self.is_hammy:

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the user has been marked as ham or maaaybe presumed ham, we need to make sure that they are not marked as spam. We should definitely mark them as spam if their spam situation is unknown.

What we may want to do is only use the has_domain on presumed ham folks if they are being created as unregistered contributors, and not of they are already in the database. That may be covered by was_creating and maybe it should eb if (has_domain and was_creating) or (has_domain and not self.is_hammy) or similar. I'm not super-familiar with the spam system, so I don't know the ideal conditional to use here, but give some thought based on what I've mentioned above, and see if you can make some tests to cover each of the scenarios.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I talked with Product, and I think if we also add in something that doesn't spam a user if the domain it has is in the notable domains as ignored, that would prevent a lot of the problems we're having as well, and would explicitly handle the M.Sc domain problem below.

Comment thread osf_tests/test_user.py Outdated
Comment on lines +2110 to +2118
def test_validate_domain_in_field_for_existing_not_ham(self):
self.user.fullname = 'google.com'
self.user.save()
assert self.user.is_spammy is True
assert self.user.is_hammy is False

self.user.unspam(save=True)
self.user.fullname = 'not a url'
self.user.save()

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What we discussed on Slack was having the domains in the username field only flag as spam if you are creating a user for an unregistered contributor. That is the spam vector that it is explicitly trying to prevent. Right now, there are no situations where a user who exists already should be flagged as spam for including a domain in their user name parts. Eliminating that check will reduce the opportunity for this to fail in a way that is causing problems for real users now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants