[pydotorg-www] Changing default wiki permissions

M.-A. Lemburg mal at egenix.com
Fri Jan 25 12:19:23 CET 2013 

On 24.01.2013 23:24, Paul Boddie wrote:
> Aahz wrote:
>> On Thu, Jan 24, 2013, M.-A. Lemburg wrote:
>>> We're currently working on setting up the new VM with the Python and
>>> Jython wikis.
>>>
>>> In order to increase security and also to help a bit with avoiding
>>> spam/vandalism, we'd like to disable editing of wiki pages without
>>> login.
>>>
>>> Any objections ?
>>
>> That was in fact the setup previously, and I strongly support reverting
>> to it.  As Barry notes, there are some pages that will need a higher
>> level of protection, but as long as we've got off-VM backups, we can
>> handle any mishaps.
> 
> Indeed. I don't buy into the myth that people perpetuate about Wikis having to 
> allow anonymous access or otherwise be instruments of The Man, or whatever. 
> The Internet is full of people who will happily pollute any editable site 
> with their idiotic spams and scams, and some fairly basic measures will deter 
> the bulk of these people.

Given the positive echo, we'll go ahead with requiring logins for
edits per default.

> I recommend...
> 
> Requiring some kind of login. This actually makes it easier for the editors to 
> see at a glance who has edited a page (Aahz rather than, say, 
> 123-client.456-server.verizon.com) and make a quick judgement about whether 
> the edit needs investigating. We can support OpenID - you can even use your 
> Python Package Index identity! - and so don't even need to make people set 
> and remember distinct passwords.
> 
> Maintaining the textcha protection for random newcomers. I appreciate that 
> textcha questions can be a pain - on one Wiki I use, the questions required a 
> fair amount of research on my part because I am a mere developer and not part 
> of the target audience - but we can migrate people quickly to a group/list 
> that doesn't get bothered with questions. Textcha can be very effective: on 
> some sites I've seen where they turned the feature on, spam was more or less 
> eliminated.

We are using text based capchas for the Python and Jython wiki -
for both unregistered and registered users. There's a group
of trusted editors which doesn't have to bother with the captchas.

Additionally, we have a blocked user group to disable known spam
accounts.

> Having some kind of mechanism for managing new user registration. I wouldn't 
> want to impose the approval of new users because it stops the quick-but-good 
> edits of people who are new to the Wiki but want to fix something, but it is 
> the case that there may be a lot of "registration spam", meaning that the 
> Wiki fills up with users who will never succeed in making an edit because 
> they can't answer the textcha questions. Maybe there are already tools that 
> deal with this. If not, I may be encouraged to write something.

We currently have 11000 users registered for the Python wiki. I do
believe that many of those are no longer in use. Since we're resetting
the password of the users now, we should get a good feel for the
actual number of active users after a few months: the inactive ones
will show up as not having registered a new password.

> Beyond this, we could introduce edit approval for random newcomers - I wrote 
> something that puts edits in approval queues - but this is really something 
> for a site where you want the barrier to editing to be very low but the 
> barrier to publishing to be much higher. For the Python Wikis, the barrier to 
> editing should be low but not *very* low, and the barrier to publishing 
> should not be significantly higher.

If spam from registered users becomes more of a problem, we could
increase the number of captcha phrases.

> Finally, I would like to thank Marc-André for his forensic and recovery work 
> as well as Thomas and Reimar for their work in attempting to restore the 
> content. Once again, the PSF should be thanked for making resources available 
> for the improvement of MoinMoin in various respects. Ensuring the vitality of 
> widely-used Python projects like MoinMoin is an essential part of ensuring 
> the vitality of Python itself.

Thanks,
-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 25 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the pydotorg-www mailing list