From d7dc1746d617bfadf4cf59c0b624a86bfdb97b2b Mon Sep 17 00:00:00 2001 From: Tom Fifield Date: Tue, 8 Nov 2016 01:04:56 +0800 Subject: [PATCH] Restrict File Uploads, Page Moves to Known Users Since https://review.openstack.org/#/c/368114/ introduced the 'autopatrol' group, a team has been proactively verifying and adding known-good users to the group as edits are made. The group currently contains almost 300 members, and most non-spam edits made on the wiki today are made by users with membership of this group. To date, group membership allowed bypassing the CAPTCHA for edits. This patch proposes 3 additional, low impact, changes to further help with our ongoing spam problem. 1) Restrict File Uploads to members of the autopatrol group Non-Spam file uploads on the OpenStack wiki are relatively rare, particularly for new users, and anyone who has uploaded a file in the past is already covered by the autopatrol group. Restricting this ability to verified users would completely remove a major spam avenue from the current attack. 2) Restrict Page Moves to members of the autopatrol group Page moves tend to only be conducted by very experienced users of the OpenStack wiki, who have all been around a long time and are members of the autopatrol group. They are also very rare outside of spam situations. In spam situations, page moves make clean-up doubly difficult and allow spammers to work around new page creation restrictions. Restricting this ability assists somewhat with the spam attack 3) Restrict Write API access to members of the autopatrol group Author is unaware of anyone in the OpenStack community using the MediaWiki write API, however the fact that it is open for all users seems to make it a very tempting attack avenue for spammers. Change-Id: I8a59e2a0d0fcddc0f2774a8a704c1ac57003d6a8 --- templates/Settings.php.erb | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/templates/Settings.php.erb b/templates/Settings.php.erb index 729e4ac..c494aa1 100644 --- a/templates/Settings.php.erb +++ b/templates/Settings.php.erb @@ -164,6 +164,18 @@ $wgGroupPermissions['autopatrol']['autopatrol'] = true; # Autopatrol users are legit, so don't need a CAPTCHA $wgGroupPermissions['autopatrol']['skipcaptcha'] = true; +# Only let known-good users upload files +$wgGroupPermissions['user']['upload'] = false; +$wgGroupPermissions['autopatrol']['upload'] = true; + +# Only let known-good users move pages and files +$wgGroupPermissions['user']['move'] = false; +$wgGroupPermissions['autopatrol']['move'] = true; + +# Only let known-good users the write API +$wgGroupPermissions['user']['writeapi'] = false; +$wgGroupPermissions['autopatrol']['writeapi'] = true; + # Useful for debugging purposes, and doesn't expose very sensitive info $wgShowExceptionDetails = true;