Closed Bug 1426673 Opened 3 years ago Closed 3 years ago

The logout link cannot be found as what Sessions page says

Categories

(bugzilla.mozilla.org :: General, enhancement)

Production
enhancement
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: bugzilla, Assigned: kohei.yoshino)

References

(Depends on 1 open bug)

Details

Attachments

(2 files)

This is a recent change to Bugzilla interface (since 3-5 days or so).

I no longer can see on any page if I am logged in. 

I no longer can see a link or a button offering to log out, to quit, to disconnect.

How to disconnect/log out from bugzilla server should be as easy, simple and obvious as connecting/logging in to bugzilla server.
"
You can use the "Logout" link from the top right menu for that.
"
https://bugzilla.mozilla.org/userprefs.cgi?tab=sessions

Not true anymore. 

The previous design for logging in and logging out was simple, easy, obvious. Now, it is a mystery where the button or link to logout is. No documentation on such changes. And no reason whatsoever as to why the previous design was insufficient, or had a flaw or needed/required a new design.
Severity: normal → major
Priority: -- → P1
The Log out link has been moved to the account menu at the top right corner of the header, like many other modern web apps. Just click your avatar icon to find it. I'll update the the Sessions page's copy accordingly.

Since this is not a banking site or whatever, I don't think the Log out link should always be displayed on the page. Most of the users remain logged in, I believe. If you log out often from Bugzilla or any other sites, I'd recommend you to do it with the browser's privacy feature.
Assignee: user-accounts → nobody
Severity: major → normal
Component: User Accounts → General
Priority: P1 → --
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Version: unspecified → Production
Assignee: nobody → kohei.yoshino
Blocks: 1376826
Status: NEW → ASSIGNED
Summary: Unable to log out or no way to see how to log out → The logout link cannot be found as what Sessions page says
> The Log out link has been moved to the account menu at the top right corner
> of the header, like many other modern web apps. Just click your avatar icon
> to find it.

I do not have an avatar icon. I do not use an avatar icon. And I do not see where is that log out link!

> I'll update the the Sessions page's copy accordingly.
> 
> Since this is not a banking site or whatever, I don't think the Log out link
> should always be displayed on the page. 

I disagree. I should be able to log out at any time for whatever reason. And so the log out link should be visible, viewable, accessible at all time.
A log out button or link should be like a door knob: I should be able to leave a room easily, quickly, without asking myself "Where is the door by which I entered this room?" "Why is it that I no longer can find that door or that knob?". 

> Most of the users remain logged in,
> I believe. 

Well, I do not remain logged in at all times. User accounts can be hacked, you know...

> If you log out often from Bugzilla or any other sites, I'd
> recommend you to do it with the browser's privacy feature.

Please be a bit more explicit here. What should I be doing with browser privacy feature... ? I am using Firefox 52.5.2 ESR and all I see with Firefox privacy preferences is cookie and history management.
Kohei,

here's what my bugzilla bar looks like: the extended menu indicated by the chevron "»" is expanded in the screenshot. There is no log out link in that account menu.

1503px wide by 184px tall, 80 Kbytes
I do not even see a clear indication that I am logged in or if I am logged in. I have to search carefully the page to know that. It's frustratingly confusing.
Hmm, strange, even if you haven't set your avatar, you should see the default one: https://secure.gravatar.com/avatar/852f2e3af64a149b573856662c4ec856?d=mm&size=64

Are you perhaps blocking gravatar with any extension?

See these screenshots for what it should look like: https://twitter.com/BugzillaUX/status/943694235819061248
> > If you log out often from Bugzilla or any other sites, I'd
> > recommend you to do it with the browser's privacy feature.

I allow cookies (but not 3rd party ones) until I close Firefox. So, that setting should be okay.

- - - - - 

> you should see the
> default one:
> https://secure.gravatar.com/avatar/
> 852f2e3af64a149b573856662c4ec856?d=mm&size=64

No. Right now, I do not see the default avatar. I see the typical broken image icon on the lefthand side of my name and on the lefthand side of your name right now. This may be related to Ghostery extension I installed recently ... (or maybe an adblock extension I recently configured)

> Are you perhaps blocking gravatar with any extension?

Indeed, I am perhaps blocking gravatar with an extension: that makes sense. But not willingly. Not on purpose. I installed Ghostery extension (version 8.0.1.2) a few days ago, 3-5 days ago.

> See these screenshots for what it should look like:
> https://twitter.com/BugzillaUX/status/943694235819061248


Investigating this furthermore...

<img src="https://secure.gravatar.com/avatar/f84bbc6968ecda0a64ab50d1060c320e?d=mm&amp;size=64" class="gravatar" width="32" height="32">
and the tooltip display in developer tool says "Impossible to load"


Web console also reports 1 warning and 1 error (in French):
{
loading pref showConsoleLogs before prefs were initialised, you will not get the correct result  content-script.bundle.js:333:7

Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à data:application/javascript;base64,dmFyI... (« script-src https://bugzilla.mozilla.org 'nonce-SYObObST7JCBuk8oyE1ksFzBDJzD2cqWGqm0WokMy81cQ5nG' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com »).
}

Page parameters have prevented the loading of resource at .... 'unsafe-eval' https://www.google-analytics.com » . 

I now confirm this: Ghostery version 8.0.1.2 as installed and configured on my system blocks the Google website analysis cookie tracker which is in the bugzilla webpage!
Okay. I now need to correct some statements I made in the previous comment.

I allowed Google Analytics tracker cookie in Ghostery for bugzilla.mozilla.org website and my default gravatar was still not viewable: so Google Analytics tracker cookie is not the source of the problem. The gravatar cookie (in category social network) is being blocked by Ghostery.

Okay. Workaround is to allow gravatar cookie in Ghostery.

https://apps.ghostery.com/en/apps/gravatar

and now I can see the default gravatar!
you know what, we're not going to feed this data to gravatar any more.
Gérard Talbot:

Let me make two things abundantly clear:

We are not responsible for making sure bugzilla works after modifications by browser extensions.

Kohei is a volunteer that provided the most substantial UX refresh we have ever received. I greatly appreciate his effort,
and I do not appreciate the tone you've taken in this thread. I think a review of "Etiquette and Contributor Guidelines" linked below would be appropriate.

I am, however, interested in moving gravatar requests server-side, for several reasons that predate this bug.
I pointed out in bug #1376826 (two comments there: 7 and 11) that the logout link was not visible.  I mentioned that good user interface design for a secure Web site means that user should not have to navigate to find the logout link.  Worse, for Bugzilla, the user would have to guess how to navigate to the link.  

This bug #1426673 is a result of hiding -- and then losing -- the logout link.  Fixing this bug should involve placing the logout link in the header and not hiding it.
I think we can close this bug. As :dylan said we are not responsible for the results of content blocking.
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
(In reply to Dylan Hardison [:dylan] (he/him) from comment #11)
> Gérard Talbot:
> 
> Let me make two things abundantly clear:
> 
> We are not responsible for making sure bugzilla works after modifications by
> browser extensions.

I did not create the gravatar tracking icon. I did not even know that there a gravatar tracking cookie even existed.

I did not make the new log out interface to bugzilla *_dependent_* on that gravatar tracking cookie.
Please keep these in mind.

> Kohei is a volunteer that provided the most substantial UX refresh we have
> ever received. I greatly appreciate his effort,

Oh, I am sure you do.

> and I do not appreciate the tone you've taken in this thread. 

Well, you obviously misunderstand my perspective.

> I think a
> review of "Etiquette and Contributor Guidelines" linked below would be
> appropriate.

Really!?

> I am, however, interested in moving gravatar requests server-side, for
> several reasons that predate this bug.

If you read my initial comment, the description comment, I have described as best as I could the problem I was having due to the new design and the new dependence on that gravatar tracking cookie/icon. Whether or not I was knowingly, willingly and/or wittingly blocking such avatar is one thing, one issue. Whether the new bugzilla code design was refusing to display basic, navigation component like a) a link to log out and b) an indication that I was logged in __ just because I blocked that gravatar tracking cookie __ is a correct policy, is an adequate and fair policy, is a reasonable policy is a debattable question. 

I blocked with Ghostery the Google website analysis cookie tracker (Google Analytics), you see. And the logout link is nevertheless accessible and there is a logged in indication. 

Dylan, We disagree. You did not have to treat my opinion as abuse just because we disagree on the appreciation of such new and unannounced policy.
> we are not responsible for the results of content blocking.

I still do not get this. I do not use, I do not have a gravatar icon. I never used a gravatar icon. 
And if I filter (willingly or not) that gravatar tracking cookie, then I should be considered responsible or held responsible (and all its logged in indication and log out link consequences) for blocking such tracking cookie. In your comments and in Dylan's comments, I am responsible for the consequences that lead me to file this bug.
Where is the logout link?  Until you tell us, this bug report should remain open.  

Since there is a loss of an existing function with significant potential adverse security impact without any work-around short of a complete termination of my browser, this bug report should be Major ("Major loss of function") and not Normal ("Regular issue, some loss of functionality under specific circumstances").  However, editing this bug report provides only Normal as a possible Severity.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Gérard, please ask Ghostery for why the Gravatar image is blocked when you block Gravatar cookies. It's off-topic here.
Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
Resolution: --- → WORKSFORME
I actually don't allow cookies by default in my Firefox, and don't see any Gravatar cookies in the browser's cookie manager, but Gravatar images are still visible. We load the images in the standard way here on BMO [1]. It's the extension's problem.

[1] https://en.gravatar.com/site/implement/images/
We provide two different toggles to control loading gravatars, as well.
https://bugzilla.mozilla.org/userprefs.cgi?tab=settings#show_gravatars
> ask Ghostery for why the Gravatar image is blocked when you block Gravatar cookies.

I might ask them ... I found their email address.

> We provide two different toggles to control loading gravatars, as well.
> https://bugzilla.mozilla.org/userprefs.cgi?tab=settings#show_gravatars

I never knew these settings (Show gravatar images when viewing bugs and Show my gravatar image to other users) existed. 

If I turn off the setting
"Show gravatar images when viewing bugs"
then will I still be able to reach my bugzilla account preferences, profile and settings afterwards? See what I mean?
> I might ask them ... I found their email address.

I just sent Ghostery support people a short email asking the question and linking to this bug report.
> I actually don't allow cookies by default in my Firefox, 

I don't allow 3rd party cookies by default in Firefox. And I have "Do not track" setting enabled.

> and don't see any
> Gravatar cookies in the browser's cookie manager, 

I do not either. 
I have installed Lightbeam (which is an extension created by Mozilla) and they report s0.wp.com and s1.wp.com from en.gravatar.com . I am trying to understand all this.

> but Gravatar images are
> still visible.

I hope Ghostery support people visit this bug report and make an useful comment on all this.
Firefox Lightbeam 2.0.4
https://addons.mozilla.org/en-US/firefox/addon/lightbeam/
"shows you the relationships between these third parties and the sites you visit."
So, it reports but does not block tracking cookies.
(In reply to Gérard Talbot from comment #20)
> > ask Ghostery for why the Gravatar image is blocked when you block Gravatar cookies.
> 
> I might ask them ... I found their email address.
> 
> > We provide two different toggles to control loading gravatars, as well.
> > https://bugzilla.mozilla.org/userprefs.cgi?tab=settings#show_gravatars
> 
> I never knew these settings (Show gravatar images when viewing bugs and Show
> my gravatar image to other users) existed. 
> 
> If I turn off the setting
> "Show gravatar images when viewing bugs"
> then will I still be able to reach my bugzilla account preferences, profile
> and settings afterwards? See what I mean?

When you use the setting, as opposed to arbitrarily modifying the content of the page, no functionality is broken.
One thing -- the setting is "Show my gravatar image to other users". If you hate gravatar you should turn both off.
> as opposed to arbitrarily modifying the content of the page,

I did not know I was blocking content (an image; a default image on top of everything) when using Ghostery on BMO webpages, okay? I knew I was blocking 3rd party tracking cookies though, okay? And I did not know BMO was designed to allow a 3rd party tracking cookie in its pages.

> If you hate gravatar

Per se, I am indifferent to those little images. I do not dislike those images, unless, of course, there is something wrong with the images themselves. I have a low opinion of websites creating, using and setting 3rd party tracking cookies though and websites responsible for relentless tracking, data fetching, privacy abuse and monetization throughout the process.
Duplicate of this bug: 1427439
As :dylan said we are not responsible for the results of content blocking, but we could probably work around the issue by using a simple JavaScript image loader. At least the fallback avatar should be displayed.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
And the img tag needs content in its alt attribute.
It's not necessary because there's the aria-label attribute.
Status: REOPENED → ASSIGNED
Attached file github pull request
(In reply to Kohei Yoshino [:kohei] from comment #30)
> It's not necessary because there's the aria-label attribute.

I have not found where in the HTML 5.2 specification the presence of an aria-label attribute makes the alt attribute optional.  I have found many references in the specification that make a non-blank alt attribute mandatory.
The alt attribute is certainly mandatory but making empty is totally fine, otherwise screen readers may read the same label twice. Also, don't refer to W3C's HTML 5.2 spec. It sucks. Just read the living standard instead.
Some notes:

* The latest version of Ghostery doesn't have any cookie or script settings. Gravatar is just categorized into Social Media and it won't be blocked with the standard one-click setup. The UI is probably different from the older version available for Firefox 52 ESR.

* The built-in Tracking Protection in Firefox also blocks Gravatar if you enable the functionality and choose the strict mode, which is not default. I'm still not sure Gravatar is actually a tracker (the images even don't set cookies), but the block list is made by a third-party vendor (Disconnect) and basically out of control of Mozilla.

* The workaround I proposed can be removed once Bugzilla implements a proxy script and/or its own avatar setting (Bug 1426753).
Status: ASSIGNED → RESOLVED
Closed: 3 years ago3 years ago
Resolution: --- → FIXED
> > ask Ghostery for why the Gravatar image is blocked when you block Gravatar cookies.
> I just sent Ghostery support people a short email asking the question and
> linking to this bug report.

Here's the first half of the email sent on December 29th 2017:
{
Dear Ghostery support people,

Question: Why Gravatar image is blocked when Ghostery blocks the
Gravatar cookie?

https://bugzilla.mozilla.org/show_bug.cgi?id=1426673#c17
(...)
}

Here's the reply I got today:

{
Christopher Tino, Jan 26, 12:05 PM EST

Hey Gerard, sorry for the delay.  We're working through a big backlog of support tickets.  Ghostery doesn't only block Gravatar cookies, it will block any requests made to gravatar.com.  That's why the image does not show. Hope this helps,
Chris
}
You need to log in before you can comment on or make changes to this bug.