[openstreetmap/openstreetmap-website] blocks with needs_view flag not shown when user does oauth authorisation (for example login into an OSM editor) (Issue #5490)

[Matija Nalis]

> - Sending the user to /login?referer=%2Fuser%2Fusername%2Fblocks is a workaround that somewhat works for non-needs_view blocks too and is not affected by GDPR. (*)

> - Don't care about non-needs_view blocks and want a simpler workaround? Send users to /login. (**)

Hmmm, does doing either of those "workarounds" automatically display block message to the user of the app (to simplify, assume that user has just installed the app on a new device, and clicked login, which opened webview for them to complete the OAuth login flow, but they are blocked)?  Is the block message displayed to the user?

If not, how is it "workaround" at all? The whole point of this issue (as I understand it) is the problem that _"blocks with needs_view flag are not shown when user does OAuth authorization"_.

> Something that already happens is that some apps lie to their users that the token is invalid, although they could have checked it. 

I don't know exact internals of either of the mentioned apps, but I guess if they have made extra checks and extra workarounds on receiving 403, that it was not because they were bored, but because doing that have solved (or worked around, if you prefer) some particular issue(s) that they've had in the past. Do we know what those issues were?[^1]

> It isn't because the problem here is for the apps that want to display the message inside the app. Your suggestion is for the apps that don't want it.


Yes, my suggestion was for the general case. I have no problems with the idea that **in addition** to such _always-works_ case, there is an _additional_ new API endpoint for apps which prefer more fine-grained handling of the situation. 

But if they don't implement those optionals;  I think OSM itself (during OAuth flow) should still display block message while it has control over flow and formatting (i.e. HTML renderer by app using webview while attempting to log in). Because if we depend on claim that _"100% of the apps will always do this extra steps which are not unavoidable required functionality"_ we setup ourselves to surely fail (i.e. some apps _won't_ do optional steps, and their users will never see block messages).


[^1]:  If we're not sure we know, perhaps we should not tear down that [Chesterton's fence](https://en.wikipedia.org/wiki/G._K._Chesterton#Chesterton's_fence) just yet?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5490#issuecomment-2588405727
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/5490/2588405727 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20250113/37d68c05/attachment.htm>