opendev/puppet-mediawiki
Code Issues Proposed changes

Restrict File Uploads, Page Moves to Known Users

Browse Source 
Since https://review.openstack.org/#/c/368114/
introduced the 'autopatrol' group, a team has been proactively
verifying and adding known-good users to the group as edits are
made.

The group currently contains almost 300 members, and most non-spam
edits made on the wiki today are made by users with membership of
this group.

To date, group membership allowed bypassing the CAPTCHA for edits.
This patch proposes 3 additional, low impact, changes to further
help with our ongoing spam problem.

1) Restrict File Uploads to members of the autopatrol group

Non-Spam file uploads on the OpenStack wiki are relatively rare,
particularly for new users, and anyone who has uploaded a file in the
past is already covered by the autopatrol group.
Restricting this ability to verified users would completely remove
a major spam avenue from the current attack.

2) Restrict Page Moves to members of the autopatrol group

Page moves tend to only be conducted by very experienced users of
the OpenStack wiki, who have all been around a long time and are
members of the autopatrol group. They are also very rare outside of
spam situations.

In spam situations, page moves make clean-up doubly difficult and
allow spammers to work around new page creation restrictions.
Restricting this ability assists somewhat with the spam attack

3) Restrict Write API access to members of the autopatrol group
Author is unaware of anyone in the OpenStack community using the
MediaWiki write API, however the fact that it is open for all users
seems to make it a very tempting attack avenue for spammers.

Change-Id: I8a59e2a0d0fcddc0f2774a8a704c1ac57003d6a8
This commit is contained in:
Tom Fifield 2016-11-08 01:04:56 +08:00
parent 3b55a5b98d
commit d7dc1746d6
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
templates/Settings.php.erb
View File

@ -164,6 +164,18 @@ $wgGroupPermissions['autopatrol']['autopatrol'] = true;
# Autopatrol users are legit, so don't need a CAPTCHA
$wgGroupPermissions['autopatrol']['skipcaptcha'] = true;
# Only let known-good users upload files
$wgGroupPermissions['user']['upload'] = false;
$wgGroupPermissions['autopatrol']['upload'] = true;
# Only let known-good users move pages and files
$wgGroupPermissions['user']['move'] = false;
$wgGroupPermissions['autopatrol']['move'] = true;
# Only let known-good users the write API
$wgGroupPermissions['user']['writeapi'] = false;
$wgGroupPermissions['autopatrol']['writeapi'] = true;
# Useful for debugging purposes, and doesn't expose very sensitive info
$wgShowExceptionDetails = true;