spam fighting ...
... the never ending story. Here are some of my recent attempts in moin-1.9 github repo (soon in 1.9.10 release): * disabled the "newaccount" action by default. This is to avoid that for internet-exposed wikis spam bots can create lots of user accounts in little time. To avoid forcing the wiki admin to create accounts on the shell (or having to toggle the availability of the newaccount action temporarily), I slightly modified the superuser's "Switch user" capability (see "Settings" of superuser): It is now able to switch to a non-existing user (and just create a new user profile on the fly). So, as a superuser one only needs to give the new username, switch to it, fill in the user's email address and then the account can be claimed by the user on the login page via the "forgot password" functionality (then setting a password, modifying profile settings as needed). While this method imposes some work on someone in the superuser list, it is totally safe against spammers: there is no way humans or spam bots can create accounts without the help of a superuser. * safer internal default ACL: Known and All now only have read permissions. This is to avoid that you accidentally give r/w permissions to the world when running a wiki on the internet. I recently shot myself into the foot by forgetting to configure a safer default ACL (only used acl_rights_before, but did not lock out All/Known for writing). Sample configs: suggest to use an EditorGroup. Again, this is a bit more work for wiki admins / group members, but it is totally safe against spammers: - no default write permissions for All (anon users) - no default write permissions for Known (anyone who managed to create an account, see also newaccount action) - you can not create/modify pages without logging in AND being explicitly allowed by an ACL (by name or by group membership) Using e.g. an EditorGroup, the work needed to give some legitimate user write permissions can be distributed onto all members of some group (e.g. EditorGroup or AdminGroup). Note: not much in the original spirit of wiki (allow changes and revert them if they are bad), but guess there are too many idiots out there for this. For wikis without internet exposure, the more strict new default settings can be undone via the wiki config, if desired. -- GPG ID: 9F88FB52FAF7B393 GPG FP: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393
On Mon, Aug 20, 2018 at 03:30:50PM +0200, Thomas Waldmann wrote:
... the never ending story.
Here are some of my recent attempts in moin-1.9 github repo (soon in 1.9.10 release):
* disabled the "newaccount" action by default.
This is to avoid that for internet-exposed wikis spam bots can create lots of user accounts in little time.
To avoid forcing the wiki admin to create accounts on the shell (or having to toggle the availability of the newaccount action temporarily), I slightly modified the superuser's "Switch user" capability (see "Settings" of superuser):
It is now able to switch to a non-existing user (and just create a new user profile on the fly). So, as a superuser one only needs to give the new username, switch to it, fill in the user's email address and then the account can be claimed by the user on the login page via the "forgot password" functionality (then setting a password, modifying profile settings as needed).
While this method imposes some work on someone in the superuser list, it is totally safe against spammers: there is no way humans or spam bots can create accounts without the help of a superuser.
Cool. :-)
* safer internal default ACL: Known and All now only have read permissions.
This is to avoid that you accidentally give r/w permissions to the world when running a wiki on the internet. I recently shot myself into the foot by forgetting to configure a safer default ACL (only used acl_rights_before, but did not lock out All/Known for writing).
Sample configs: suggest to use an EditorGroup.
Again, this is a bit more work for wiki admins / group members, but it is totally safe against spammers:
- no default write permissions for All (anon users) - no default write permissions for Known (anyone who managed to create an account, see also newaccount action) - you can not create/modify pages without logging in AND being explicitly allowed by an ACL (by name or by group membership)
Using e.g. an EditorGroup, the work needed to give some legitimate user write permissions can be distributed onto all members of some group (e.g. EditorGroup or AdminGroup).
Note: not much in the original spirit of wiki (allow changes and revert them if they are bad), but guess there are too many idiots out there for this.
Well, too many idiots and too many bots. Not enough spammers have been set on fire. :-/
For wikis without internet exposure, the more strict new default settings can be undone via the wiki config, if desired.
Nod. I'd still love you to take our patch to add email verification - I'd hope it would be useful for lots of people. -- Steve McIntyre, Cambridge, UK. steve@einval.com "Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say." -- Edward Snowden
participants (2)
-
Steve McIntyre -
Thomas Waldmann