[wp-meta] [Making WordPress.org] #5937: Extend the possibility for leaving a plugin or theme review

Making WordPress.org noreply at wordpress.org
Wed Dec 15 05:46:33 UTC 2021

#5937: Extend the possibility for leaving a plugin or theme review
 Reporter:  Clorith      |       Owner:  (none)
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:
Component:  General      |  Resolution:
 Keywords:               |

Comment (by dd32):

 **This is just me thinking aloud, nothing solid or set in stone here**,
 there are a number of things related to this that I've removed as

 Regardless of how it's implemented, this is something that I've talked
 with various people over the years multiple times, many plugins/themes get
 next to no reviews, which negatively affects WordPress.org's ability to
 use review data for ranking/search/sorting/highlighting purposes.

 We could also benefit from it for things like Blocks, Patterns, and Photos
 shown directly within the editor where we'll unfortunately need a way to
 allow someone to flag/report items directly from their editor instance,
 even if they don't have a WordPress.org account.

 There are a number of ways we could offer this including:
  - oAuth flow against their site, which potentially means us having an
 access token for their site temporarily..
  - Private .org API which allows a WordPress site to submit reviews/flags
 about an item, with a callback built in so that .org can verify that the
 site who is who it said it is.
  - Private .org API which is the same as above, but returns a special URL
 which can be presented to the user in an iframe, allowing them to review
 an item:
    - (Name + Email or Login button) + Site (hard-coded) + Item (plugin X,
 hard-coded) + Review Text
    - For "high risk" reviews/browsers/whatever it can then go to pending +
 email confirmation
    - if it's deemed "low risk" published as-is until flagged by someone
 (effectively, public unless anyone logged in says "uhh" at which point it
 goes to modlook)

 Now that I think about it more, the final option there is probably the
 most ideal for a review, while the second is probably the best for a "flag
 this item" action.

 We have some flags we can use here, not all of which will be super
  - Whether the site has submitted reviews before, Whether the Name+Email
 provided has submitted them before, etc.
  - reCaptcha is in use on WordPress.org login, but misses a bunch of
 things. If we had an iFrame that the review was submitted through we'd be
 able to validate that.
  - On login, we have some heuristics around email addresses, manual
 blacklists, and a few other tools which could be leveraged. That would
 allow extra heuristics to be applied to what will effectively be a public
 "comment" that's not as easily accessed as comment forms..
  - Akismet, since as I just realised, it's effectively a comment..
  - WordPress.org stats can probably give some kind of "Is Site URL A in
 good standing" based on how long the site's hashed ID has existed, there's
 bound to be some clashes but few enough to matter.

Ticket URL: <https://meta.trac.wordpress.org/ticket/5937#comment:1>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list