- Issue created by @hestenet
- ๐บ๐ธUnited States volkswagenchick San Francisco Bay Area
I agree that the privileges should extend to the CRT.
As @hestenet stated, thereโs already a solid process to ensure these are trusted members, this change seems like a reasonable move.
- ๐บ๐ธUnited States cmlara
Related issue suggesting the DA should create a dedicated role rather than re-use the existing role.
๐ Grant the "site moderator" role to dorficus Fixed
Having the role gives access to personal data that is not public and has privacy implications. Giving people such access is not about trust, it is about something that in the data protection community is lnown as POLP (Principle Of Least Privilege) โ which is an important part of the GDPR's data minimisation framework.
โฆ
I think the CWG need to reach out to the Drupal Accociation. Explain that members of the CWG Conflict Resolution Team need access to some protected data (taking POLP into account), get the role "CWG Conflict Resolution Team Member" created with suitable access, and then give you that role.
Please understand this is not about red tape โ it is about data protection principles. When somebody is given an elevated role, say "Side moderator", their behaviour exercising that role is monitored. If they abuse the role, or just don't use it, they shall lose the role (this is part of POLP). Now, if the "Side moderator" role is given to someone, in order for them to function in some other capacity (say, as a "CWG Conflict Resolution Team Member"), things such as POLP becomes much more difficult to monitor and enforce. If I were the controller in charge of data protection at Drupal.org (I'm not), I would hate that.
- Gisle
I donโt know what the permissions the CWG needs are, or what Content Moderator has however it does sound like there was some concern there may be more permissions in Content Moderator then they actually need to fulfill their duties.
As a D.O. Account holder: it would be nice to see some justification on the least permissions necessary side of this since the question was raised.
Is there anything in that role now or could there ever be in the future that the CWG do not absolutely need? - ๐บ๐ธUnited States hestenet Portland, OR ๐บ๐ธ
Some of the relevant permissions of the site moderator role include:
- Administer comments and comment settings
- Fasttoggle: Moderate comments
- Fasttoggle: Moderate posts
- Fasttoggle: Moderate users (no user data access)
- Delete contents of any file attachment
- Use the Full HTML text format
- Administer content
- Access the content overview page
Some less relevant, but not enough to justify a whole new role - especially as if they are maliciously updated with abusive content being able to edit them is in fact relevant:
- Administer all documentation guides
- Administer news feeds
- Book listing: View any unpublished content
- Book listing: Create /Edit any/ Delete
- Case study: Create /Edit any/ Delete
- Page: Create /Edit any/ Delete
- Contributor skill: delete
- Contributor role: delete
- Documentation Guide: Create /Edit any/ Delete
- Documentation Page: Create /Edit any/ Delete
- Hosting listing: Create /Edit any/ Delete
- Organization: Create /Edit any/ Delete
- Projects: Create /Edit any/ Delete
- Forum topics: Create /Edit any/ Delete
- Taxonomy terms: Create /Edit any/ Delete
Importantly it has no elevated user administrator permissions, and therefore no access to PII that might be on user profiles.
