diff options
Diffstat (limited to 'docs/running')
| -rw-r--r-- | docs/running/admin_manual.md | 490 | ||||
| -rw-r--r-- | docs/running/categories_and_tags.md | 196 | ||||
| -rw-r--r-- | docs/running/holding_pen.md | 101 | ||||
| -rw-r--r-- | docs/running/requests.md | 322 | ||||
| -rw-r--r-- | docs/running/upgrading.md | 29 |
5 files changed, 1070 insertions, 68 deletions
diff --git a/docs/running/admin_manual.md b/docs/running/admin_manual.md index d166cb859..7c112400c 100644 --- a/docs/running/admin_manual.md +++ b/docs/running/admin_manual.md @@ -31,10 +31,14 @@ In this guide: <ul> <li><a href="#administrator-privileges-and-accessing-the-admin-interface">Administrator privileges and accessing the admin interface</a></li> <li><a href="#removing-a-message-from-the-holding-pen">Removing a message from the 'Holding Pen'</a></li> - <li><a href="#editing-and-uploading-public-body-email-addresses">Editing and uploading public body email addresses</a></li> + <li><a href="#rejecting-spam-that-arrives-in-the-holding-pen">Rejecting spam that arrives in the holding pen</a></li> + <li><a href="#creating-changing-and-uploading-public-authority-data">Creating, changing and uploading public authority data</a></li> <li><a href="#banning-a-user">Banning a user</a></li> - <li><a href="#deleting-a-request">Deleting a request</a></li> + <li><a href="#allowing-a-user-to-make-more-requests">Allowing a user to make more requests</a></li> + <li><a href="#batch-requests">Batch requests</a></li> + <li><a href="#resending-a-request-or-sending-it-to-a-different-authority">Resending a request or sending it to a different authority</a></li> <li><a href="#hiding-a-request">Hiding a request</a></li> + <li><a href="#deleting-a-request">Deleting a request</a></li> <li><a href="#hiding-an-incoming-or-outgoing-message">Hiding an incoming or outgoing message</a></li> <li><a href="#editing-an-outgoing-message">Editing an outgoing message</a></li> <li><a href="#hiding-certain-text-from-a-request-using-censor-rules">Hiding certain text from a request</a></li> @@ -308,79 +312,456 @@ line, and piping the contents of that file into the mail handling script. e.g. ### Administrator privileges and accessing the admin interface -The administrative interface is at the URL `/admin`. +The <a href="{{ site.baseurl }}docs/glossary/#admin" class="glossary__link">administrative interface</a> +is at the URL `/admin`. Only users who are +<a href="{{ site.baseurl }}docs/glossary/#admin" class="glossary__link">administrators</a> +can access the admin interface. + +To make a user an administrator on a brand new site, +[follow these steps]({{ site.baseurl }}docs/installing/next_steps/#create-a-superuser-admin-account). + +If you're already an administrator, you can grant other users administrator +privilege too. Go to `/admin/users` or click on **Users** at the top of +the admin. Find the user in the list, and click on the name to see the user +details. On that page, click **Edit**. Change the *Admin level* to “super” and +click **Save**. + +As well having access to the admin interface, users who are administrators also +have extra privileges in the main website front end. Administrators can: + + * categorise any request + * view items that have been hidden from the search + * follow "admin" links that appear next to individual requests and comments + +<div class="attention-box warning"> + It is possible completely to override the administrator authentication by + setting + <code><a href="{{ site.baseurl }}docs/customising/config/#skip_admin_auth">SKIP_ADMIN_AUTH</a></code> + to <code>true</code> in <code>general.yml</code>. Never do this, unless you + are working on a <a href="{{ site.baseurl }}docs/glossary/#development" + class="glossary__link">development</a> server. +</div> + +### Removing a message from the holding pen + +Alaveteli puts incoming messages (that is, +<a href="{{ site.baseurl }}docs/glossary/#reponse" class="glossary__link">responses</a>) +into the +<a href="{{ site.baseurl }}docs/glossary/#holding_pen" class="glossary__link">holding pen</a> +if their `To:` email addresses can't automatically be associated with a +<a href="{{ site.baseurl }}docs/glossary/#reponse" class="glossary__link">request</a>. + +The two most common reasons for this are: + + * the request has closed + * the email address was wrongly spelled (for example, the sender missed the last + character off the email address when they copied it) + +When this happens, the messages wait in the holding pen until an administrator +redelivers them to the correct request, or else deletes them. + +To do this, log into the +The <a href="{{ site.baseurl }}docs/glossary/#admin" class="glossary__link">admin interface</a> +at `/admin`. If there are any messages in the holding pen, you'll see this +message under the title *Things to do*: + +> Put misdelivered responses with the right request + +Click on that message — you'll see a list of all the messages that need +your attention. Click on any one of them to see the details. + +<div class="attention-box helpful-hint"> + If the message does not belong to any request, you can delete it instead. + Simply click on the <strong>Destroy Message</strong> button instead of + redelivering it. +</div> + +When you inspect a message, you may see a guess made by Alaveteli as to which +request the message belongs to. Check this request. If the guess is right +— the incoming email really is a response to that request — +the request's *title_url* will already be in the input box: click the +**Redeliver to another request** button. + +If there is not a guess, or Alaveteli's guess is wrong, look at the `To:` +address of the raw email and the contents of the message itself. You need +to figure out which request it belongs to. You can browse and search +requests in the admin interface by clicking **Requests** at the top of the +admin. When you have found the correct request, copy either its *id* or +its *url_title*. + +<div class="attention-box info"> + <p><strong>How to find a request's <em>id</em> or <em>url_title</em></strong></p> + <p> + A request's <em>id</em> is the number after <code>/show/</code> in the + admin interface's URL when you are looking at that request. + For example, if the URL is <code>/admin/request/show/118</code>, then the + <em>id</em> is <code>118</code>. + </p> + <p> + A request's <em>url_title</em> is the part after <code>/request/</code> + in your Alaveteli site's URL when you are looking at that request. + In the URL <code>/request/how_many_vehicles</code>, the + <em>url_title</em> is <code>how_many_vehicles</code>. + </p> +</div> + +Once you have identified the request the message belongs to, return to the +holding pen message page. Find the incoming message's "Actions" and paste the +request *id* or *url_title* into the text input. Click on the **Redeliver to +another request** button. + +The message will now be associated with the correct request. It is no longer +in the holding pen, and is shown instead on the public request page. + + +### Rejecting spam that arrives in the holding pen + +Alaveteli maintains a +<a href="{{ site.baseurl }}docs/glossary/#spam-address-list" class="glossary__link">spam address list</a>. +Any incoming message to an email address on that list +*that would otherwise be put in the holding pen* will be rejected and won't +appear in the admin. + +If you see spam messages in the +<a href="{{ site.baseurl }}docs/glossary/#holding_pen" class="glossary__link">holding pen</a>, +check if they are being sent to a *specific* email address. If they are, that +email address has become a "spam-target" and you should add it to the spam +address list. Thereafter, Alaveteli will automatically reject any messages that +come to that address. + +An email address that is not associated with a request (that is, one whose +messages end up in the holding pen) becomes a spam-target once it's been +harvested by spammers. There are several reasons why such an invalid address +might exist — perhaps it was mis-spelled in a manual reply, for example. +Our experience from running +<a href="{{ site.baseurl }}docs/glossary/#wdtk" class="glossary__link">WhatDoTheyKnow</a> +is that you can safely dismiss incoming email to such addresses once they have +been targeted in this way. Legitimate emails that arrive in the holding pen +tend to be unique errors (for example, missing the last character of the email +address due to a cut-and-paste mistake) and the nature of the lifecycle of +requests means they don't typically get used for spam until they are +effectively dead. + +To add an email address to the spam address list you need to copy it from an +incoming message and paste it into the spam addresss list. The easiest way to +do this is to click on **Summary** at the top of any admin page, and then click +on **Put misdelivered responses with the right requests** to see the contents +of the holding pen. + +<div class="attention-box info"> + If there are no messages in the holding pen, Alaveteli won't show you this + link. Great — there are no misdelivered responses needing your + attention right now! +</div> + +Inside the holding pen, you'll see the list of emails awaiting attention +— click on an email's subject line to see the whole message and its +details. Copy the `To:` email address, then click on the **Spam Addresses** +link under *Actions*. Paste the email address into the text input and click the +**Add Spam Address** button. + +You can see the spam address list (that is, all known spam-target email +addresses) at any time by going to the admin interface at `/admin/spam_addresses`. + +You can remove any address from the list by clicking the **Remove** button +next to it. Of course, this won't restore any messages that have been +rejected, but Alaveteli will not reject any new messages that are sent to +this address. + +Note that if you are seeing consistent spam email in your holding pen, you +should also consider implementing (or increasing) the anti-spam measures +running in your +<a href="{{ site.baseurl }}docs/glossary/#mta" class="glossary__link">MTA</a>. + +### Creating, changing and uploading public authority data + +There are three ways to change public authority data on your site: + + * *Create* — + You can create a new public authority in the admin interface. Go to **Authorities**, and click the **New Public Authority** button. + + * *Edit* — + Once an authority is created, you can update its email address or other + details by editing it in the admin interface. Go to **Authorities**, find + the authority you want to update, and click on **edit**. + + * *Upload* — + You can also create or edit more than one authority at the same time by + uploading a file containing the data in comma-separated values (CSV) + format. This works for new authorities as well as those that already exist + on your site. Go to **Authorities** and click the **Import from CSV** button. See the rest of this section for more about uploading. + +The upload feature is useful — especially when an Alaveteli site is first +set up — because it's common to collect data such as the contact details +for the public authorities in a spreadsheet. Alaveteli's upload feature makes it +easy to initially load this data onto the site. It also lets you update the +data if it changes after it's already been loaded. + +To use the data in the spreadsheet to update the bodies on your site, export +("save as") the spreadsheet as a CSV file. This is the file you can upload. + +The first line of your CSV file should start with `#` (this indicates that this +line does not contain data) and must list the column names for the data that +follows on the subsequent lines. Column names must: + + * be on the first line + * match expected names *exactly*, and include `name` and `request_email` + (see table below) + * appear in the same order as corresponding items in the lines of data that follow + +Most spreadsheet programs will produce a suitable CSV file for you, provided +that you carefully specify correct titles at the top of each column. Be sure to +use names exactly as shown — if Alaveteli encounters an +unrecognised column name, the import will fail. + +<table class="table"> + <tr> + <th>column name</th> + <th>i18n suffix?</th> + <th>notes</th> + </tr> + <tr> + <td><code>name</code></td> + <td><em>yes</em></td> + <td> + <em>This column <strong>must</strong> be present.</em><br> + The full name of the authority.<br> + If it matches an existing authority's name, that authority will be + updated — otherwise, this will be added as a new authority. + </td> + </tr> + <tr> + <td><code>request_email</code></td> + <td><em>yes</em></td> + <td> + <em>This column <strong>must</strong> be present, + but can be left empty.</em><br> + The email to which requests are sent + </td> + </tr> + <tr> + <td><code>short_name</code></td> + <td><em>yes</em></td> + <td>Some authorities are known by a shorter name</td> + </tr> + <tr> + <td><code>notes</code></td> + <td><em>yes</em></td> + <td>Notes, displayed publicly (may contain HTML)</td> + </tr> + <tr> + <td><code>publication_scheme</code></td> + <td><em>yes</em></td> + <td> + The URL of the authority's + <a href="{{ site.baseurl }}docs/glossary/#publication-scheme" class="glossary__link">publication scheme</a>, + if they have one + </td> + </tr> + <tr> + <td><code>disclosure_log</code></td> + <td><em>yes</em></td> + <td> + The URL of the authority's + <a href="{{ site.baseurl }}docs/glossary/#disclosure-log" class="glossary__link">disclosure log</a>, + if they have one + </td> + </tr> + <tr> + <td><code>home_page</code></td> + <td>no</td> + <td>The URL of the authority's home page</td> + </tr> + <tr> + <td><code>tag_string</code></td> + <td>no</td> + <td>separated tags with spaces</td> + </tr> +</table> + + * Existing authorities cannot be renamed by uploading: if you need to do + this, use the admin interface to edit the existing record first, and + change its name in the web interface. + * If the authority already exists (the `name` matches an existing authority's + name exactly), a blank entry leaves the existing value for that column + unchanged — that is, that item of data on your site will not be + changed. This means you only really need to include data you want to + update. + * Columns with "i18n suffix" can accept + <a href="{{ site.baseurl }}docs/glossary/#i18n" class="glossary__link">internationalised</a> + names. Add a full stop followed by the language code, for example: + `name.es` for Spanish (`es`). This *must* be a locale you've declared in + [`AVAILABLE_LOCALES`]({{ site.baseurl }}docs/customising/config/#available_locales). + If you don't specify an i18n suffix, the default language for your site is + assumed. + * You can specify a blank entry in the CSV file by having no character + between commas. + * If an entry contains a comma, enclose it in double quotes like this: + `"Comma, Inc"`. + * If an entry contains any double quotes, you must replace each of + them with two (so `"` becomes `""`) and also enclose the whole entry in + double quotes like this: `"In ""quotes"""` (which will be imported as `In + "quotes"`). + +For example, here's data for three authorities in CSV format ready for upload. +The first line defines the column names, then the next three lines contain the +data (one line for each authority): + + #name,short_name,short_name.es,request_email,notes + XYZ Library Inc.,XYZ Library,XYX Biblioteca,info@xyz.example.com, + Ejemplo Town Council,,Ayuntamiento de Ejemplo,etc@example.com,Lorem ipsum. + "Comma, Inc.",Comma,,comma@example.com,"e.g. <a href=""x"">link</a>" + +Note that, if Ejemplo Town Council already exists on the site, the blank entry +for `short_name` will leave the existing value for that column unchanged. + +To upload a CSV file, log into the admin and click on **Authorities**. Click on +**Import from CSV file**, and choose the file you've prepared. + +Specify **What to do with existing tags?** with one of these options: + + * *Replace existing tags with new ones* <br/> + For each authority being updated, all existing tags will be removed, and + replaced with the ones in your CSV file. + + * *Add new tags to existing ones* <br/> + Existing tags will be left unchanged, and the tags in your CSV file will + be added to them. + +You can add a **Tag to add entries to / alter entries for**. This tag will +be applied to every body that is imported from your CSV file. + +We always recommend you click **Dry run** first -- this will run through the +file and report the changes it will make in the database, *without actually +changing the data*. Check the report: it shows what changes would be made if +you really uploaded this data, followed by a message like this: + + Dry run was successful, real run would do as above. + +If you see nothing above that line, it means the dry run has resulted in no +proposed changes. + +If everything was OK when you ran the dry run, click **Upload** instead. This +will repeat the process, but this time it will make the changes to your +site's database. + +If you see an error like `invalid email`, either you really have mistyped an +email address, or (more likely) your CSV file does not have a `request_email` +column. + +#### Creating a spreadsheet of existing authorities + +You can easily create a spreadsheet containing the authorities that <em>already +exist</em> on your site. Combined with the upload feature described above, this +may be a more convenient way to update your data than editing it in the admin +interface. + +To export the existing authorities' data, go to your site's home page (not the +admin) and click <strong>View Authorities</strong>. Then click <strong>List of +all authorities (CSV)</strong> to get a CSV file. You can then make changes to +this file using a spreadsheet program and upload it as described above. + +You'll need to remove some columns that are not accepted by the import feature +and possibly rename some that are — see the column names above. +Also, note that by default the exported spreadsheet does not contain a +`request_email` column. If you want to update email addresses, you should +manually add a column to your spreadsheet with the heading `request_email` and +fill in a new email address for each authority you want to update. Authorities +with blank values in any column will keep their existing value for that +attribute. + +<div class="attention-box info"> +Alaveteli never includes authorities which have the tag <code>site_administration</code> when it exports authorities in CSV format. +If you're running a development server with the sample data, the single example +body called "Internal admin authority" has this tag, so if you click +<strong>List of all authorities (CSV)</strong>, you'll get a CSV file which +contains no data. You need to add your own authorities (without the +<code>site_administration</code> tag) before you can export them. +</div> -Only users with the `super` admin level can access the admin interface. Users -create their own accounts in the usual way, and then administrators can give -them `super` privileges. +### Banning a user -There is an emergency user account which can be accessed via -`/admin?emergency=1`, using the credentials `ADMIN_USERNAME` and -`ADMIN_PASSWORD`, which are set in `general.yml`. To bootstrap the -first `super` level accounts, you will need to log in as the emergency -user. You can disable the emergency user account by setting `DISABLE_EMERGENCY_USER` to `true` in `general.yml`. +You may wish to completely ban a user from the website (such as a spammer or troll for example). You need to log into the admin interface at `/admin`. On the top row of links, locate and click on ‘Users’. -Users with the superuser role also have extra privileges in the website -front end, such as being able to categorise any request, being able to view -items that have been hidden from the search, and being presented with "admin" -links next to individual requests and comments in the front end. +Find the user you wish to ban on the list and click on their name. Once on the user page, select ‘edit’. -It is possible completely to override the administrator authentication by -setting `SKIP_ADMIN_AUTH` to `true` in `general.yml`. +Enter some text in the in the ‘Ban text’ box to explain why they have been banned. Please be aware, this is publicly viewable from the users' account. Then click on save and the user will be banned. -### Removing a message from the 'Holding Pen' +### Allowing a user to make more requests -The reason a message is in the holding pen is because the email can't be automatically associated with the request it is responding to. The email needs to be moved from the holding pen to the request it belongs with. +Alaveteli has a config setting <code><a href="{{ site.baseurl }}docs/customising/config/#max_requests_per_user_per_day">MAX_REQUESTS_PER_USER_PER_DAY</a></code>, +which determines the maximum number of requests that a normal user can +make in a day. If they try to make more than this number of requests +within a 24 hour period, they will see a message telling them that they +have hit the limit, and encouraging them to use the contact form if they +feel they have a good reason to ask for the request limit to be lifted. -First, log into the admin interface at `/admin`. You will see messages that are in the 'holding pen' under the title ‘Put misdelivered responses with the right request’. Click on the chevron to see the individual messages. +To lift the request limit for a particular user, go to the <a href="{{ site.baseurl }}docs/glossary/#admin" class="glossary__link">admin +interface</a>, click on **Users**, then click on the name of the user +you want to lift the request limit for. Click the **Edit** button. Tick +the checkbox **No rate limit**, and click the **Save** button. -If you click on a message in the holding pen, you may see a guess made by Alaveteli as to which request the message belongs to. Check this request. If it isn't the right one, or if Alaveteli hasn't made any guesses, you will need to look at the `To:` address of the raw email and the contents of the mail in order to figure out which request it belongs to. You can browse and search requests in the admin interface under the 'Requests' menu item. +### Batch requests -Once you have identified the request the message belongs to, you need to go back to the holding pen message page. Paste the request `id` or `url_title` into the box under 'Actions' in 'Incoming Message'. The request `id` can be found in the request URL in the admin interface - it is the part after `/show/`. In the admin request URL `/admin/request/show/118`, the request `id` is `118`. The `url_title` can be found in the request URL in the main interface - it is the part after `/request/`. In the URL `/request/documents_relating_to_meeting`, it is `documents_relating_to_meeting`. Then click on 'Redeliver to another request'. +Sometimes a user may want to send the same request to more than one authority, which we call a batch request. By default, Alaveteli does not allow users to make batch requests. -The message will now be associated with the correct request and will appear on the public request page. +<div class="attention-box info"> +<p>We believe that batch requests can be abused — users can send poorly thought-out or vexatious requests, which will annoy authorities and damage the reputation of your site. However, well thought-out batch requests can be an extremely useful tool in collecting comparative data sets across types of authority, for example, all police forces.</p> +<p> +We recommend that you enable batch requesting for users who you notice making the same good request to multiple authorities. +</p> +<p> +Users can choose which authorities to include in a batch requests. They can even send a request to <em>every single authority</em> on your site. Only give this power to users that you trust. +</p> +</div> -### Editing and uploading public body email addresses +To enable batch requests on your site, first you must set +<code><a href="{{ site.baseurl }}docs/customising/config/#allow_batch_requests">ALLOW_BATCH_REQUESTS</a></code> +to <code>true</code> in <code>general.yml</code>. +This does not allow anyone to make batch requests yet. You must still +enable this for each user on an individual basis. To do this, go to the +<a href="{{ site.baseurl }}docs/glossary/#admin" +class="glossary__link">admin interface</a>, click on **Users**, then +click on the name of the user who wants to make batch requests. Click +the **Edit** button. Tick the checkbox **Can make batch requests**, and +click the **Save** button. +If you've enabled batch requests for a user, when they start to make a +request, in addition to the box where they can select an authority, they +will see a link to "make a batch request". When the request is sent, +Alaveteli will make a request page for this request for each authority, +as if the user had made individual requests. -### Banning a user +### Resending a request or sending it to a different authority -You may wish to completely ban a user from the website (such as a spammer or troll for example). You need to log into the admin interface at `/admin`. On the top row of links, locate and click on ‘Users’. +If you have corrected the email address for an authority, you can resend +an existing request to that authority to the new email address. Alternatively, +a user may send a request to the wrong authority. In that situation, you can +change the authority on the request and then resend it to the correct authority. +For instructions, see +[resending a request or sending it to a different authority]({{ site.baseurl }}docs/running/requests/#resending-a-request-or-sending-it-to-a-different-authority). -Find the user you wish to ban on the list and click on their name. Once on the user page, select ‘edit’. -Enter some text in the in the ‘Ban text’ box to explain why they have been banned. Please be aware, this is publicly viewable from the users' account. Then click on save and the user will be banned. +### Hiding a request -### Deleting a request +If a request contains vexatious or inappropriate content, is libellous, or is +not a valid +<a href="{{ site.baseurl }}docs/glossary/#foi" class="glossary__link">Freedom of Information</a> +request at all, you may want to hide it. A hidden request is still visible to +you and the other administrators, and (optionally) the requester themselves. +For instructions, see +[hiding a request]({{ site.baseurl }}docs/running/requests/#hiding-a-request). -You can delete a request entirely using the admin interface. You will mainly only need to do this if someone has posted private information. Go to the admin page for the request by searching or browsing in the 'Requests' section of the admin interface. In the first section, click the 'Edit metadata' button. At the bottom of the next page, click the red 'Destroy request entirely' button. +Responses to a hidden request will be accepted in the normal way, but because +they are added to the request's page, they too will be hidden. -### Hiding a request +### Deleting a request -You can hide an entire request from the admin interface. Log in to the -admin interface at `/admin`. On the top row of links, locate and click on -'Requests'. Search or browse to find the admin page for the request you -want to hide. You can also go directly to this page by following an -'admin' link from the public request page. You can hide a request in one -of two ways. - - * <strong>Hiding a vexatious or non-FOI request and notifying the - requester</strong> - Scroll down to the 'actions' section of the request - admin page. Select one of the options next to 'Hide the request and - notify the user:' and customise the text of the email that will be - sent to the user to let them know what you've done. When you're - ready, click the 'Hide request' button. - * <strong>Hiding a request or making it only visible to the - requester without notifying the requester</strong> - In the 'Request metadata' section of the request - admin page, click 'Edit metadata'. Change the 'Prominence' value to - 'requester_only' to only allow the requester to view the request, or - to 'hidden' to hide the request from everyone except site admins. - When you're ready, click 'Save changes' at the bottom of the 'Edit - metadata' section. No email will be sent to the requester to notify - them of what you've done. +You can delete a request from the site. For instructions, see +[deleting a request]({{ site.baseurl }}docs/running/requests/#deleting-a-request). + +Responses to a deleted request will be sent to the holding pen. ### Hiding an incoming or outgoing message @@ -454,4 +835,3 @@ text you wish to replace it with e.g. '[personal information has been hidden]', and a comment letting other admins know why you have hidden the information. - diff --git a/docs/running/categories_and_tags.md b/docs/running/categories_and_tags.md new file mode 100644 index 000000000..f34c8fec3 --- /dev/null +++ b/docs/running/categories_and_tags.md @@ -0,0 +1,196 @@ +--- +layout: page +title: Categories & tags +--- + +# Categories and tags for authorities + +<p class="lead"> + + Use tags to arrange + <a href="{{ site.baseurl }}docs/glossary/#authority" + class="glossary__link">authorities</a> into categories, or to associate + related authorities with each other. This helps your users find the right + authority for the + <a href="{{ site.baseurl }}docs/glossary/#request" class="glossary__link">request</a> + (or <a href="{{ site.baseurl }}docs/glossary/#response" class="glossary__link">response</a>) + they are interested in. +</p> + +## Categories & category headings + +Alaveteli lets you organise your authorities into *categories*. Categories can +themselves belong to *category headings*. For example, some of the categories +and headings on +<a href="{{ site.baseurl }}docs/glossary/#wdtk" class="glossary__link">WhatDoTheyKnow</a>'s +<a href="https://www.whatdotheyknow.com/body/list/all">View authorities</a> page look like this: + +> * **Media and culture** +> * Media +> * Museums and galleries +> * **Military and security services** +> * Armed Forces +> * Military colleges +> * Security services +> * **Emergency services** +> * Police forces +> * Fire & rescue services + + +In this example, "Emergency services" is a heading which contains the categories +"Police forces" and "Fire & rescue services". + +Tags are simply searchable words that you can add to an authority. Nominate a +tag for each category: any authority which has that tag is automatically +assigned to the category. For example, if the tag `police` is associated with +the category "Police forces", any authority which has the tag `police` will +appear in that category. + +Make sure you choose good category headings and names, because they help your +users find the specific authorities they are looking for. + +<div class="attention-box info"> + Try to use simple but descriptive words for tags. Tags cannot contain spaces + (use an underscore if you need to, <code>like_this</code>). + Remember that tags will be seen and used by the public (for example, in the + <a href="{{ site.baseurl }}docs/glossary/#advanced-search" class="glossary__link">advanced search</a>). +</div> + +### Adding a new category + +In the admin interface, click on **Categories**. It's a good idea to create +category headings first (but don't worry if you don't — you can change +them later). + +Click on **New category heading**, enter a name (for example, "Emergency +services") and click **Create**. + +To create a category, click on **New category**. As well as providing a title +and a description, you must enter a category tag. Any authority with this tag +will be assigned to this category. + +Select the checkbox next to the category heading under which you want this +category to be listed. It's common for a category to be under just one heading. +But sometimes it makes sense for a category to go under more than one, so you +can select multiple checkboxes if you need to. + +Click **Save** to create the category. + +### Editing or deleting a category + +Click on **Categories** then find the category in the list (if the category is +under a heading, you may need to click on the heading's chevron to expand the +list to show it). Click the name of the category to select it. You can edit it +and click **Save**. + +If you want to destroy a category, go to edit it but instead of saving it, +click on the **Destroy** button at the bottom of the page. This does not +delete any authorities in that category — they simply no longer belong to +it. + +## Special tags + +Some tags are special. Alaveteli behaves differently when an authority has one +of these tags. + +<table class="table"> + <tr> + <th> + Tag + </th> + <th> + Effect + </th> + </tr> + <tr> + <td> + <code>site_administration</code> + </td> + <td> + This is a test/dummy authority. It is not displayed to the public on your + main site, and it is not included when you + <a href="{{ site.baseurl }}docs/running/admin_manual/#creating-changing-and-uploading-public-authority-data">export authorities in CSV format</a>. + </td> + </tr> + <tr> + <td> + <code>defunct</code> + </td> + <td> + This authority no longer operates: new requests cannot be sent to an + authority with this tag. + </td> + </tr> + <tr> + <td> + <code>not_apply</code> + </td> + <td> + <a href="{{ site.baseurl }}docs/glossary/#foi" class="glossary__link">Freedom of Information</a> + law does not apply to this authority: new requests cannot be sent to an + authority with this tag. + </td> + </tr> + <tr> + <td> + <code>eir_only</code> + </td> + <td> + <em>Custom example:</em> (see below)<br> + On our UK installation of Alaveteli, + <a href="{{ site.baseurl }}docs/glossary/#wdtk" class="glossary__link">WhatDoTheyKnow</a>, + this tag indicates that the authority is subject to an alternative law + (Environment Information Regulations, rather than the Freedom of + Information), which means Alaveteli must change the wording of these + requests appropriately. + </td> + </tr> + <tr> + <td> + <code>school</code> + </td> + <td> + <em>Custom example:</em> (see below)<br> + <a href="{{ site.baseurl }}docs/glossary/#wdtk" class="glossary__link">WhatDoTheyKnow</a> + applies a different definition of "late" if an authority has the <code>school</code> tag. + </td> + </tr> +</table> + +## Custom tags and custom behaviour + +You can add any tag you want — they don't have to be associated with +categories. + +If you are a developer, and you want to add special behaviour to your site +based on your own tags, you need to add custom code, which should probably go +in your own +<a href="{{ site.baseurl}}docs/glossary/#theme" class="glossary__link">theme</a>. +For example, in the UK, schools are granted special concession in the law to allow for +requests that are made out of term-time. Alaveteli handles this by using the +[`SPECIAL_REPLY_VERY_LATE_AFTER_DAYS`]({{ site.baseurl }}docs/customising/config/#special_reply_very_late_after_days) +config value if the authority has the `school` tag. +See +[`is_school?`](https://github.com/mysociety/alaveteli/blob/f0bbeb4abf4bf07e5cfb46668f39bbff72ed7210/app/models/public_body.rb#L391) +and +[`date_very_overdue_after`](https://github.com/mysociety/alaveteli/blob/81b778622ed47e24a2dea59c0529d1f928c68a58/app/models/info_request.rb#L752) +for the source code. + +## Searching with tags + +Alaveteli's +<a href="{{ site.baseurl }}docs/glossary/#advanced-search" class="glossary__link">advanced search</a> +feature (which is available to all your users) can search for specific tags. So +if you add useful tags and publicise them, your users can use them to find +related authorities. For example, see the <a +href="https://www.whatdotheyknow.com/advancedsearch">advanced search on +WhatDoTheyKnow</a> to see this at work. + +You can add reference numbers or specific values to tags using a colon. On +<a href="{{ site.baseurl }}docs/glossary/#wdtk" class="glossary__link">WhatDoTheyKnow</a> +we tag all authorities that are charities with the tag `charity:123456` (where +123456 is the authority's registered charity number). + + + + diff --git a/docs/running/holding_pen.md b/docs/running/holding_pen.md new file mode 100644 index 000000000..5b7f08bec --- /dev/null +++ b/docs/running/holding_pen.md @@ -0,0 +1,101 @@ +--- +layout: page +title: The holding pen +--- + +# The holding pen + +<p class="lead"> + + The <em>holding pen</em> is where Alaveteli puts any incoming + <a href="{{ site.baseurl }}docs/glossary/#response" class="glossary__link">responses</a> + that can't be matched to a + <a href="{{ site.baseurl }}docs/glossary/#request" class="glossary__link">request</a> + automatically. +</p> + + +Alaveteli works by emailing requests to the correct target +<a href="{{ site.baseurl }}docs/glossary/#authority" class="glossary__link">authority</a>. +That email message is sent from a unique email address — that is, an +email address that is associated with that single request (technically, +Alaveteli hashes the request ID to generate a unique address and uses this as +the `Reply-to:` address). + +So whenever an authority replies (by email) to a request that Alaveteli has +sent, that response will be addressed to that request's unique email address. +The email is received by your installation's +<a href="{{ site.baseurl}}docs/glossary/#mta" class="glossary__link">MTA</a>, +and is passed on to Alaveteli. In this way, incoming messages are easily +matched with the request they are responses to — this is important +because your site displays the responses underneath their original request, on +the request's page. + +Normally, this works fine. But sometimes things go wrong, and a message comes +in that can't be matched with a request. When this happens, Alaveteli puts the +message in the +<a href="{{ site.baseurl }}docs/glossary/#holding_pen" class="glossary__link">holding +pen </a>. + +Messages wait in the holding pen until an +<a href="{{ site.baseurl }}docs/glossary/#super" class="glossary__link">administrator</a> +redelivers them to the correct request, or else deletes them. + +## Why messages end up in the holding pen + +There are several reasons why a message might end up in the holding pen: + +* **the authority "broke" the reply-to email**<br> + This can happen if the authority replies "by hand" to the incoming email — + for example if the person at the authority accidentally loses the first + letter of the email address when they copy-and-paste it. Or if they copy + it manually and simply get it wrong. + +* **there's something unusual about the way it was sent**<br> + For example, if it was delivered here because the address is in the `Bcc:` + field, and is not the `To:` address. + +* **a partial email address may have been guessed**<br> + Someone guesses an email address which Alaveteli doesn't recognise. Perhaps + they have misunderstood how the addresses are formed, or maybe it's a + deliberate attempt to send spam. + +* **the response is to a request that has been deleted**<br> + If you [delete a request]({{ site.baseurl }}docs/running/requests/#deleting-a-request), + Alaveteli cannot deliver responses to it. + +* **the response has been rejected and rejections are set to go to the holding pen**<br> + Incoming mail that is correctly addressed but not accepted for the request + goes into the holding pen if the request's `handle_rejected_responses` + behaviour is set to `holding_pen` (rather than bouncing the email back to + the sender, or simply deleting it). Responses may be rejected for various + reasons — for example, if a response is sent from an unrecognised + email address for a request whose *Allow new responses from* setting is + `authority_only`. See instructions on + [how to manage requests]({{site.baseurl}}docs/running/requests/) for details. + +## What to do: redeliver or delete + +You need to be an +<a href="{{ site.baseurl }}docs/glossary/#super" class="glossary__link">administrator</a> +to modify the holding pen. + +There are two things you can do to a message in the holding pen: + + * **find the right request, and redeliver the message**<br> + Alaveteli tries to guess the right request to help you, so sometimes + you can just accept its suggestion. + + * **delete the message**<br> + If the message is not a response, you can delete it. + +For instructions, see +[removing a message from the holding pen]({{ site.baseurl }}docs/running/admin_manual/#removing-a-message-from-the-holding-pen). + +If the `To:` address does not belong to a valid request and the message is +clearly spam you can add that email address to Alaveteli's +<a href="{{site.baseurl}}#spam-address-list" class="glossary__link">spam address list</a>. +Subsequent messages to that address will be automatically rejected — for +instructions see +[rejecting spam that arrives in the holding pen]({{ site.baseurl }}docs/running/admin_manual/#rejecting-spam-that-arrives-in-the-holding-pen). + diff --git a/docs/running/requests.md b/docs/running/requests.md new file mode 100644 index 000000000..bf8655949 --- /dev/null +++ b/docs/running/requests.md @@ -0,0 +1,322 @@ +--- +layout: page +title: Managing requests +--- + +# Managing Requests + + +<p class="lead"> + Alaveteli makes it easy for a user to make a + <a href="{{ site.baseurl }}docs/glossary/#request" class="glossary__link">request</a>. + As an + <a href="{{ site.baseurl }}docs/glossary/#super" class="glossary__link">administrator</a>, + there are some things about that request you can change once it’s been created. +</p> + +A request is automatically created when a user submits and (where necessary) +confirms it. Alaveteli sends it to the +<a href="{{ site.baseurl }}docs/glossary/#authority" class="glossary__link">authority</a> +responsible and handles any +<a href="{{ site.baseurl }}docs/glossary/#response" class="glossary__link">responses</a>. +Usually this process runs without needing any intervention from an +administrator. But sometimes you'll want to change some aspect of the request, +or the way Alaveteli is handling it. + +<ul class="toc"> + <li><a href="#what-state-is-the-request-in">What state is the request in?</a></li> + <li><a href="#changing-things-about-a-request">Changing things about a request</a></li> +<li><a href="#resending-a-request-or-sending-it-to-a-different-authority">Resending a request or sending a request to a different authority</a></li> + <li><a href="#hiding-a-request">Hiding a request</a></li> + <li><a href="#deleting-a-request">Deleting a request</a></li> +</ul> + +## What state is the request in? + +Every request moves through a series of +<a href="{{ site.baseurl }}docs/glossary/#state" class="glossary__link">states</a>, +indicating its progress. Usually a new request will be in the +`waiting_response` state until something happens to change that — for +example, a response is received. + +However, states can't always be set automatically, because they require a +decision to be made on what kind of answer the authority provided in the +response. For states like this, Alaveteli invites the original requester to +describe it — for example, when a response is received they can change +the state to `successful`, `partially_successful` or `not_held` (if the +authority replied to say they don't have the information requested). + +<div class="attention-box info"> + If a request has been waiting for over three weeks for the original + requester to describe it but has still not been described, Alaveteli + lets <em>anyone</em> classify it. +</div> + +Internally, Alaveteli does not just record the "described state" of a request, +but also notices if anything has happened since it was last described and +sets its "awaiting description" status appropriately. + + +## Changing things about a request + +To change any of these settings, go to the +<a href="{{ site.baseurl }}docs/glossary/#admin" class="glossary__link">admin interface</a>, +click on **Requests**, then click on the title of the request you want to affect. +Click the **Edit metadata** button. + +<table class="table"> + <tr> + <th> + What you can change + </th> + <th> + Details + </th> + </tr> + <tr> + <td> + Title + </td> + <td> + The <em>title</em> is shown on the request’s page, but is also used + in the URL (the text is changed to lower case, punctuation is removed + and, if necessary, a number is added for disambiguation — this is + called the “slug”). + <p> + Note that changing the title changes the URL, because the slug changes + — this means any links to the <em>old</em> URL will no longer + work, and will return a 404 (file not found) error. + </p> + </td> + </tr> + <tr> + <td> + Who can see it? + </td> + <td> + Change the <strong>Prominence</strong> setting to one of: + <ul> + <li><code>normal</code></li> + <li> + <code>backpage</code>: request can be seen by anyone (by visiting + its URL, for example) but does not appear in lists, or search results + </li> + <li> + <code>requester_only</code>: request only visible to the person who + made the request + </li> + <li> + <code>hidden</code>: request is never shown (except to administrators) + </li> + </ul> + <br> + </td> + </tr> + <tr> + <td> + Who can respond? + </td> + <td> + The <strong>Allow new responses from...</strong> setting can be one of: + <ul> + <li><code>anybody</code></li> + <li> + <code>authority_only</code>: responses are allowed if they come + from the authority to which the request was sent, or from any domain + from which a a response has <em>already</em> been accepted + </li> + <li> + <code>nobody</code>: no responses are allowed on this request + </li> + </ul> + Any response from a sender who has been disallowed by this + setting will be rejected (see next entry). + </td> + </tr> + <tr> + <td> + What happens to rejected responses? + </td> + <td> + The <strong>Handle rejected responses...</strong> setting specificies + what happens to responses that are not allowed (see previous entry): + <ul> + <li> + <code>bounce</code>: responses are sent back to their sender + </li> + <li> + <code>holding pen</code>: responses are put in the + <a href="{{ site.baseurl }}docs/glossary/#holding_pen" class="glossary__link">holding pen</a> + for an administrator to deal with + </li> + <li> + <code>blackhole</code>: responses are destroyed by being sent to a + <a href="{{ site.baseurl }}docs/glossary/#blackhole" class="glossary__link">black hole</a> + </li> + </ul> + </td> + </tr> + <tr> + <td> + What state is it in? + </td> + <td> + See <a href="{{ site.baseurl }}docs/customising/states/">more about + request states</a>, which can be customised for your installation. + <p> + You can force the state of the request by choosing it explicitly. + Change the <strong>Described state</strong> setting. + </p> + <p> + You may also need to set <strong>Awaiting description</strong> if, + having changed the state, you want the original requester to update the + description. For example, if the state depends on the information + within the response, and you want the requester to classify it — + see + <em><a href="#what-state-is-the-request-in">What state is the request in?</a></em> + above. + </p> + </td> + </tr> + <tr> + <td> + Are comments allowed? + </td> + <td> + The <strong>Are comments allowed?</strong> setting simply you choose to + allow or forbid annotations and comments on this request. + <p> + Note that this won’t hide any annotations that have already + been left on the reques — it only prevents users adding new ones. + </p> + </td> + </tr> + <tr> + <td> + Tags (search keywords) + </td> + <td> + Enter tags, separated by spaces, that are associated with this request. + A tag can be either a simple keyword, or a key-value pair (use a colon as + the separator, like this: <code>key:value</code>). + <p> + Tags are used for searching. Users and administators both benefit if + you tag requests with useful keywords, because it helps them find + specific requests — especially if your site gets busy and there + are very many in the database. + </p> + <p> + Although it’s a little more complex than tags on requests, + <a href="{{ site.baseurl }}docs/glossary/#category" class="glossary__link">categories</a> + also use tags: + see + <a href="{{ site.baseurl }}docs/running/categories_and_tags/">more about tags</a> + for a little more information. + </p> + </td> + </tr> +</table> + +## Resending a request or sending it to a different authority + +If you have corrected the email address for an authority, you can resend +an existing request to that authority to the new email address. Alternatively, +a user may send a request to the wrong authority. In that situation, you can +change the authority on the request and then resend it to the correct authority. + +To resend a request, go to +the <a href="{{ site.baseurl }}docs/glossary/#admin" +class="glossary__link">admin interface</a>, click on **Requests**, then +click on the name of the request you want to change. Go to the **Outgoing messages** heading. Click the chevron next to the first outgoing message, which is the initial request. A panel of information about that message will appear. Click on the **Resend** button. + +To send a request to a different authority, go to +the <a href="{{ site.baseurl }}docs/glossary/#admin" +class="glossary__link">admin interface</a>, click on **Requests**, then +click on the name of the request you want to change. In the **Request +metadata** section, there is a line which shows the authority. Click the +**move...** button next to it. Enter the **url_name** of the authority +that you want to send the request to. + +<div class="attention-box info"> +Users, requests and authorities all have <strong>url_names</strong>. This can be found in the metadata section of their admin page. The <code>url_name</code> makes up the last part of the URL for their public page. So, for a request with the <code>url_name</code> “example_request”, the public page URL will be <code>/request/example_request</code>. +</div> + +Now click the **Move request to +authority** button. You will see a notice at the top of the page telling +you that the request has been moved. You can now resend the request as above. + + +## Hiding a request + +You can hide an entire request. Typically you do this if it's not a valid +Freedom of Information request (for example, a request for personal +information), or if it is vexatious. + +Go to the <a href="{{ site.baseurl }}docs/glossary/#admin" class="glossary__link">admin interface</a>, +click on **Requests**, then click on the title of the request you want. You can +hide it in one of two ways: + + * [Hide the request and notify the requester](#hide-the-request-and-notify-the-requester) + * [Hide the request without notifying the requester](#hide-the-request-without-notifying-the-requester) + +Responses to a hidden request will be accepted in the normal way, but because +they are added to the request's page, they too will be hidden. + +### Hide the request and notify the requester + +Scroll down to the *Actions* section of the request's admin page. +Choose one of the options next to **Hide the request and notify the user:** + + * Not a valid FOI request + * A vexatious request + +Choosing one of these will reveal an email form. Customise the text of the +email that will be sent to the user, letting them know what you've done. When +you're ready, click the **Hide request** button. + +### Hide the request without notifying the requester + +<div class="attention-box helpful-hint"> + As well as hiding the request from everyone, you can also use this method if + you want to make the request only visible to the requester. +</div> + +In the *Request metadata* section of the request's admin page, click the +**Edit metadata** button. Change the *Prominence* value to one of these: + + * `requester_only`: only the requester can view the request + * `hidden`: nobody can see the request, except administrators. + +<div class="attention-box warning"> + If you want to hide the request, do not chooose <code>backpage</code> + as the prominence. The <code>backpage</code> option stops the request + appearing in lists and searches so that it is effectively only visible + to anyone who has its URL — but it <em>does not hide</em> the request. +</div> + +When you're ready, click the **Save changes** button at the bottom of the +*Edit metadata* section. No email will be sent to the requester to notify +them of what you've done. + + +## Deleting a request + +You can delete a request entirely. Typically, you only need to do this if +someone has posted private information. If you delete a request, any responses that it has already received will be +destroyed as well. + +<div class="attention-box warning"> + Deleting a request destroys it. There is no “undo” operation. + If you're not sure you want to do this, perhaps you should + <a href="#hiding-a-request">hide the request</a> instead. +</div> + +Go to the <a href="{{ site.baseurl }}docs/glossary/#admin" class="glossary__link">admin interface</a>, +click on **Requests**, then click on the title of the request you want to delete. +Click the **Edit metadata** button. Click on the red **Destroy request entirely** +button at the bottom of the page. + +Responses to a deleted request will be sent to the +<a href="{{ site.baseurl }}docs/glossary/#holding_pen" class="glossary__link">holding pen</a>. + + diff --git a/docs/running/upgrading.md b/docs/running/upgrading.md index 533035892..81af8289f 100644 --- a/docs/running/upgrading.md +++ b/docs/running/upgrading.md @@ -6,10 +6,10 @@ Upgrading Alaveteli ==================== <p class="lead"> - Alaveteli is under active development — don't let the - version you're running get too far behind our latest + Alaveteli is under active development — don’t let the + version you’re running get too far behind our latest <a href="{{site.baseurl}}docs/glossary/#release" class="glossary__link">release</a>. - This page describes how to keep your site up-to-date + This page describes how to keep your site up to date. </p> ## How to upgrade the code @@ -29,23 +29,26 @@ you should always run the script `scripts/rails-post-deploy` after each deployment. This runs any database migrations for you, plus various other things that can be automated for deployment. -## Alaveteli Version Numbers +<div class="attention-box info"> + You don't need to run the script if you're using Capistrano, because the + deployment mechanism automatically runs it for you. +</div> -Alaveteli uses a shifted version of [semver](http://semver.org). +## Alaveteli version numbers -- Series `W` -- Major `X` -- Minor `Y` -- Patch `Z` +Alaveteli uses a “shifted” version of [semver](http://semver.org) +(just as [Rails version numbering](http://guides.rubyonrails.org/maintenance_policy.html) +does). This means that version numbers are of the form: `SERIES.MAJOR.MINOR.PATCH`. -At the time of writing the current release is `0.19.0.6`: +At the time of writing, the current release is `0.19.0.6`: - Series `0` - Major `19` - Minor `0` - Patch `6` -Alaveteli will transition to the [semver](http://semver.org) specification when it reaches `1.0.0`. +We'll use the [semver](http://semver.org) specification for Alaveteli's +version numbering when it reaches `1.0.0`. ## Master branch contains the latest stable release @@ -73,7 +76,7 @@ Patch version increases (e.g. 0.1.2.3 → 0.1.2.**4**) should not require any Minor version increases (e.g. 0.1.2.4 → 0.1.**3**.0) will usually require further action. You should read the [`CHANGES.md`](https://github.com/mysociety/alaveteli/blob/master/doc/CHANGES.md) document to see what's changed since your last deployment, paying special attention to anything in the "Upgrade notes" sections. Any upgrade may include new translations strings, that is, new or altered messages -to the user that need translating to your locale. You should visit Transifex +to the user that need translating to your locale. You should visit <a href="{{ site.baseurl }}docs/glossary/#transifex" class="glossary__link">Transifex</a> and try to get your translation up to 100% on each new release. Failure to do so means that any new words added to the Alaveteli source code will appear in your website in English by default. If your translations didn't make it to the @@ -92,7 +95,7 @@ Only major releases may remove existing functionality. You will be warned about Special instructions will accompany series releases. -## Deprecation Notices +## Deprecation notices You may start to see deprecation notices in your application log. They will look like: |