socksthewolf / antiscambot Goto Github PK

Instead of handling all the messaging formatting and parsing ourselves, it would be better if we use the @command markup because they are better at argument processing as well as typing.

https://discordpy.readthedocs.io/en/stable/ext/commands/commands.html

It would be great to have a series of unit tests built in that could be ran and validated against. I'm not aware of any python unit test frameworks and their functionalities, so this would require a bit of research.

Scope of task is as follows:

• Find unit test library to use
• Create bot in discord developer center for just testing
• Implement multiple unit test cases (see below)
• Create testing folder for handling said tests

Tests to run:

• Command sent for banning
• Command sent for unban
• Banning in a server
• Banning without permissions
• Invalid input checking
• more as necessary

On finish of this task, a creation of a new task to have the system automate a test run on python commits/merge requests should be made.

This task should wait until #3 is completed, and probably should wait until #28 is too

Goal: Implement a Discord modal that allows for moderators to report commission scams without having to be in the control server. This can be brought up by any user with the administrator or ban permission.

This would direct the correct information to the TAG control server, by making a reported post. There would be a significant server wide cooldown implemented as well to prevent users from abusing it.

Our permission detection is very reliable, so we can just mark the server as deactivated if a ban doesn't go through for this reason.

See here regarding steps/documentation.

If the bot gets added to a server but not activated after a set amount of time, dm the server owner to tell them about activation (if they are not already in the control server).

We can use a couple of checks to make this not invasive nor annoying.

See here for documentation/setup.

This might work if we change the tag replacement code to be proper liquid eg {{ site.bot_name }}, but would require some investigation on if the Jekyll-seo project will handle these.

Right now, any link cards show the default string site.bot_name due to github not supporting the liquify plugin.

Currently these do not get updated at all, during the small windows that the bot is offline.

This should be done to make it clear for anyone that decides to spin up an instance of the bot, what flags they need to set to have a working instance

Currently, we have a standard error if we cannot execute the ban on a scammer due to permissions.

The problem with this standard error is that we don't know if we can't execute the ban because we lost ban permissions, or if the scammer in question is in the server with a role higher than ours.

The goal of this task is to see if we can detect if the issue is due to a role ranking difference without bringing in the server members nor the presence intents, as both intents are special and require extra permissions that I rather not add (see Discord's principles of least privilege).

Plus the fewer permissions we use, the better we are off.

Summary: When the destructive action is attempted to be performed, show the calling user a ui model (discord.ui.View) that gives the option to ban.

When it should run:

• The caller of the command has permission to execute
• The target scammer id is valid
• The target scammer is not already in the database

What information should it show:

• all the information that gets generated in the current discord.Embed generator function
• account age
• bio?

Actions that can be performed:

• Button to confirm the ban
• Button to close the model view (Cancel). This only just closes the view and does nothing else

Note: to avoid race conditions, we should make sure that we check if the user is already banned in the database before the ban operation is performed. This action is already done asynchronously, so this addition to the code could introduce a new issue.

If the bot is kicked while it is running from a discord server, we should remove it from our activated list. This is needed to be implemented for #9 to be put into place.

Currently, we just use whatever is the latest of these packages, but that can be an issue if any of our requirement modules has a major update. The goal is to update our requirements file so that it freezes properly.

Goals:

• Freeze the requirements file to the current latest versions
• Set up dependabot yml file to make sure that we are properly updating these modules.
• Have a github deploy action do a pip update whenever the requirements.txt updates

During reprocessing of bans, we should check that we have the permission to ban/unban.

This can be done by having the bot check during activation/deactivation if the permission was granted. If not, then potentially send an error message back when trying to activate instead of responding with the success message.

This would be good to do, especially if we move to a different cloud platform.

Currently there is no documentation regarding the new scamguard slash commands for reporting/checking bans. This should be properly documented on the website!

This would, via a command, scan the thread for a discord id (in the title or body of the post) and then get it ready for a scam ban. This would be easy to implement, and be helpful for mobile users.

To get the thread title:
Check the channel type, if it's a typeof Thread, then you can just use the name property and it will give you the title in plain text.

To get the first post, we would have to read the message history.

Goal: right now these functions seem to share similar code with the only difference being the flag of the async operation and some naming and returns.

Create a new function that handles a ban/unban based on a single bool flag, to help lower potential code duplication.

Logging this here but it appears that /activate may not properly work for moderators in servers where the bot was invited. This is likely a permissions lookup issue that needs to be resolved.

It works correctly for owners, likely meaning it is a permission issue.

Right now it says "reported scammer by XXXXXX", it should say something along the lines of "Confirmed scammer by XXXXXX".

These ban messages are handled in the DiscordBot.py file.

Scamcheck is currently a global command. This is great, however, this means that anyone outside of the control server can do a scamcheck lookup even if they are not a moderator.

Currently we are on digital ocean. This is fine, but because we are python, memory is going to start jumping up overtime. Currently, DigitalOcean counts the memory usage of the OS against you, which is less than ideal because the OS uses about 30% of the 512MB plan we are on (verified via top before running app)

With 18 servers active and 21 in, we have a total of 38% usage of our RAM.

We are good for the next few months as we have free digital ocean credits, but we’ll want to move to railways as it gives us 8GB of RAM.

This will require the following changes:

• Some way to find the .env file
• Env file stores path to config file
• Update to have file access not be hardcoded (be in config for bans.db)

Eventually, we will want to have the database move over to a db managed instance, but that can be for a different time.

Currently database functionality exists in the same class as the discord handling, and it looks like a chaotic mess. We could move the database functionality to another class instead of having it one big one.

So it might be confusing because the bot requests the read messages role for other servers and some might be adverse to this, even though it does not log nor does it read any message that does not have a ? as the starting character.

Eventually, when we move to the solution in #3, we can switch to the add bot via link instead of clicking on its profile to add, thus significantly lowering down processing (as it will strictly only run those commands in a control server).

Would be invalidated by #3 and by #23

However this would be a nice quality of life change to give the user some information as to why it didn’t work.

This calls for moving the code that handles lookups, banning, unbanning and the connection between the discord bot and the database to a new class.

Thus making the bot code solely handle eventing and messaging.

Print commands can overflow the 2000 character limit that Discord enforces onto bot messages.

Get around this by splitting up the message.

Currently, discord's expiration implementation causes images from remote reports to be wiped after the expiration. This is a problem for reports as it means data can be lost.

We need a way to keep that information.

An issue we've had for awhile now is users will add the bot to their server but then never activate it, so it sits dormant in their server.

We either need to increase messaging with like a first time message that's posted whoever adds the bot if possible to let them know. Slightly related to #23

Specifically, this should add either a new few columns into the banned accounts table or should be an entire separate table.

The goal of this is to populate the information with links to report threads (store a list of thread ids, not the actual links). The bot can resolve those thread ids when it generates said embed data.

This requires tweaking the database to migrated to one that has better typing/formatting rules. Right now, it's kind of a mess, and even worse if we ever have to upgrade the server.

Look into ways to potentially make this easier to work with that can also build queries. There are a few python libraries that can help.

Currently, the two names in the system are:

"BEGONE, SCAMMER" and "Commission Scammer Banner".

Both of these names are not very great, and we should probably determine a better name before verification, as that will permanently lock in our bot's user name as per this support article.

Will need to also update the screenshot seen here once names have been chosen.

A couple things need to be done for the general website:

• google verification
• google analytics
• sitemap

https://github.com/jekyll/jekyll-sitemap

This allows us to also directly write to the server's moderators whenever something goes wrong and will also let us push updates to tickets too. This would be extremely handy for communication, and responses as well.

Something like this could be accomplished with a /setup command the bot could have that would bring up a custom modal with instructions and assignment.

Currently blocked on #33, this is the task to work with Discord to get the bot verified.

Lower priority, originally this would retry to add the last N activities for a server (such as ban/unban) in the event something's going wrong on the discord side.

Apparently, you can only have 10 published posts per hour. If we get a banwave, like the one this morning, then some posts will not publish.

We should enqueue those posts to try again in the future.

Bot stores minimal info, so we probably don't need to go super wild with this.

The only things that are stored are:

• Servers activated in
• Who owns those servers
• If a user is banned
• Who banned them
• When they were banned

And that's really just it. When we go for bot verification, we'll probably need to make sure we have this.

This is going to be necessary for scalability eventually. While ratelimiting is already handled, we will want to default sleep after doing several amounts of bans as the lists grow and grow.

This will become more and more important as things move forward.

Instead of having it on the bot page, it might be better to separate the FAQ into its own documentation page.

It might just make it easier to find, which users are going to be looking for.

Bot verification now also requires getting a terms of service document created for your bot. Information here.

Tasks:

• Find a good example of said document
• Create a terms of service document
• Update the webpage to link to said TOS document

The database does not update the server owner list so if a transfer happens, then the data in the database is incorrect.

The bot should be able to detect if a discord server migrates owners.

This might not be possible via the API by itself and may require more information from the user, but if the bot was added by someone who is not the server owner, but then they should be also able to ?activate the bot as well.

Look into it

This will need a way to tell for certain that the person is actually gone vs the discord API is not responding. When we go to activate bans, it doesn't make sense to waste a ban command on an user account that cannot come back (deleted permanently by Discord).

This requires checking to see if the account is deleted, and if so, remove them from the database.