Please disable page creation on the wiki temporarily

Derek Atkins derek at ihtfp.com
Fri Nov 23 10:23:51 EST 2012 

Hi,

On Fri, November 23, 2012 8:43 am, John Ralls wrote:
>
> On Nov 23, 2012, at 4:47 PM, Christian Stimming <christian at cstimming.de>
> wrote:
>
>> Who of us can modify the mediawiki permission settings for our gnucash
>> wiki? I urge you to please temporarily disable the page creation
>> permission ("createpage") for normal users. Currently we have 10-20 new
>> spam pages per day, and deleting them regularly is a pain in the neck.
>>
>> It was somewhat more bearable if it's done by multiple persons, but
>> currently I'm alone with this. See
>> http://wiki.gnucash.org/wiki/Special:RecentChanges

Fell usually works on it, too,but I think he's away on holiday right now.

>> According to http://wiki.gnucash.org/wiki/Special:ListGroupRights, the
>> user group "all" has the permission to create pages "createpage" and
>> create discussion pages "createtalk". Both should be disabled for some
>> days so that I get some relief of the daily spam deletion tasks. Thanks!

Hmm, createpage should only exist for authenticated users, and it should
be delayed by 7 days (i.e., the account must exist for 7 days before they
can create pages).  Fell and I worked on that, but there's been no way to
actually test it.

> I haven't done a spam battle on a wiki in a while -- the last time was the
> wxPerl wiki a few years ago. We had page creation disabled and the
> spammers would just rewrite random pages.
>
> It's kind of un-wiki-like to restrict edits to known users, but it is an
> approach that works: Limit edits and creations to logged-in users (which
> we already do) and set a captcha and an email confirmation loop (which I
> don't think we do)  for new userids.

Actually, we do have both email *and* capcha for new userids, and have for
a while.

The spammers are just getting smarter about working around all those
checks.  The only way to truly work around the issue would be to lock it
down until new userids are manually vetted and then enabled.  But that's
not very wiki-like, as you say.

> The core devs should all have the privs to kill userids, and we should all
> review the changes (can it be made into an email notification or RSS/ATOM
> feed?) daily so that Christian isn't the only one doing cleanup.

Agreed, any core dev that wants it should have SysOp status.

> Regards,
> John Ralls

-derek

-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

More information about the gnucash-devel mailing list