Wow! This was a busy month. From emails, to users, to events… And some other things. If you want to know what happened to JudgeApps during the month of May, you’re in the right place.
For those of you who missed Dan’s post, we’re now verifying email adderesses for JudgeApps accounts. If you ever missed a GP application window, got locked out of your account because the password reset email was sent to a different address, or missed a notification about your judge level maintenance requirements, you know why this is an important step.
We had a few issues when the verification emails started going out, but as far as we know, they’re all fixed now. The first issue was people not expecting to get the emails in the first place, and got scared when they did. We attempted to make this process as painless as possible by clarifying the massage and header for the email as much as we can.
Even if you were expecting to get an email the next time you log into JudgeApps, some people were surprised to get one without visiting JudgeApps at all. Apparently, blog posts that refer to a judge, load an image from that judge’s JudgeApps profile. If a judge was logged in to JudgeApps (most people stay logged in at home) and read a blog post that featured a judge, the JudgeApps server got a request while an unverified judge was logged in, and sent an email to the judge reading the article, as if they just visited the JudgeApps website. This shouldn’t happen anymore.
The last issue that was ironed out was new users not being able to verify their emails. They got an email, they clicked on the verification link, and then they got an error. As users that weren’t active users before the email was sent, they weren’t allowed to access JudgeApps, including the activation page. We made sure this link is now accessible to new accounts as well.
Security and Privacy
A common theme in the last few months is our efforts to improve the security of the website and protect the privacy of our users. This month was no different.
We talked about OIDC in the March update, and now we changed the login duration to one minute. What does it mean? When you connect through the website, you probably do so from your own computer or phone, and you intend to spend some time logged in. When you’re using a 3rd-party app to do so, however, you probably don’t need JudgeApps beyond getting some user data, so there’s no need for the session to be open (and your account accessible) for more than a short period of time.
Another issue was the ability to access parts of events that are still marked as drafts by guessing the event number. We changed the permissions required to access events so being logged in into JudgeApps isn’t enough anymore. Now you actually have to be on staff for the event to be able to see it before it’s published. We also fixed a small bug that allowed people who are not logged in to see judges’ and draft events, because an undocumented API that is used by the “autocomplete” fields had accidentally been left open to the public.
Finally, we improved XSS protections for a total of five types of data on the site. Previously, we assumed that certain data was HTML-safe. Technically, people could enter text there that would include scripts that run in a user’s browser. We now make sure that text can’t be interpreted as code.
Forum emails got some attention this month, with several improvements. First, we updated the footer (the part at the bottom with all the links). It now tells you how many people you’ll be replying to, and allows you to send a reply directly to the post author. Second, we added some line breaks, to make the footer more readable.
Beyond the cosmetics, the links didn’t work in some email programs. This should be fixed. Also, we sped up the process of deciding who should get a notification for forum posts, so it takes less time for a notification to be sent after a message is posted.
First of all, if you didn’t read Dan’s post about updates to user accounts (linked above), you should. We have new guidelines about what should (or shouldn’t) be in your profile. Your name should be the one people call you by. A nickname is even better than your full name if that’s how people call you. The purpose is for people to know how to call you when they meet you. Names that are supposed to hide your identity are not allowed. Your location must be correct, and within your main region. You can block it so people can’t see it, but it must be where you currently reside. Your DCI number should be the one you use when you judge. We use it to check your activity with WotC for renewal purposes, and the wrong DCI number might cause problems. Finally, the websites and social media links you add to your profile are expected to relate to you, and activity in those websites is expected to be in accordance with the Judge Code of Conduct.
On the more technical side, we fixed a tooltip that messed with the profile picture. You can also add a link to your Twitch account to your profile.
In addition to user profiles, the policy for events was updated as well. Events are meant for two purposes: staffing tournaments, and education. While social gatherings are very important and highly encouraged, they should not be official JudgeApps events. Events created on JudgeApps send notifications to a lot of people, and make relevant events harder to find. Social gatherings can be managed through social media or the forums instead.
In a similar fashion, we are trying to separate important information from social talks by adding a new feature to GP events. Now, instead of one forum, where shift information can be completely lost in a sea of escape rooms and room sharing posts, each GP will have two forums: one for official announcements, and one for everything else. Each of those forums has its own notification settings, so you can turn off all the chatter without missing the HJ’s plan for product distribution.
If you liked what we did this month, or have any ideas for us to implement in the next, please send some feedback our way.