[moin-devel] spam fighting ...

Thomas Waldmann tw at waldmann-edv.de
Mon Aug 20 09:30:50 EDT 2018 

... the never ending story.

Here are some of my recent attempts in moin-1.9 github repo (soon in
1.9.10 release):


* disabled the "newaccount" action by default.

This is to avoid that for internet-exposed wikis spam bots can create
lots of user accounts in little time.

To avoid forcing the wiki admin to create accounts on the shell (or
having to toggle the availability of the newaccount action temporarily),
I slightly modified the superuser's "Switch user" capability (see
"Settings" of superuser):

It is now able to switch to a non-existing user (and just create a new
user profile on the fly). So, as a superuser one only needs to give the
new username, switch to it, fill in the user's email address and then
the account can be claimed by the user on the login page via the "forgot
password" functionality (then setting a password, modifying profile
settings as needed).

While this method imposes some work on someone in the superuser list, it
is totally safe against spammers: there is no way humans or spam bots
can create accounts without the help of a superuser.


* safer internal default ACL: Known and All now only have read permissions.

This is to avoid that you accidentally give r/w permissions to the world
when running a wiki on the internet. I recently shot myself into the
foot by forgetting to configure a safer default ACL (only used
acl_rights_before, but did not lock out All/Known for writing).

Sample configs: suggest to use an EditorGroup.

Again, this is a bit more work for wiki admins / group members, but it
is totally safe against spammers:

- no default write permissions for All (anon users)
- no default write permissions for Known (anyone who managed to create
an account, see also newaccount action)
- you can not create/modify pages without logging in AND being
explicitly allowed by an ACL (by name or by group membership)

Using e.g. an EditorGroup, the work needed to give some legitimate user
write permissions can be distributed onto all members of some group
(e.g. EditorGroup or AdminGroup).


Note: not much in the original spirit of wiki (allow changes and revert
them if they are bad), but guess there are too many idiots out there for
this.


For wikis without internet exposure, the more strict new default
settings can be undone via the wiki config, if desired.


-- 

GPG ID: 9F88FB52FAF7B393
GPG FP: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393

More information about the moin-devel mailing list