757951 - investigate: banning users with django

Status: RESOLVED FIXED

(developer.mozilla.org Graveyard :: Editing, defect)

Comment 1

[James Bennett [:ubernostrum]]

OK, so some notes on this:

The is_active flag on a user account isn't always reliable, because ultimately it's up to the auth backend to decide whether that's something worth looking at. The BrowserID auth stuff we use does *not* check for is_active, though we could probably have it do so. That would disable the ability of a banned account to log in.

The solution Les brought up yesterday of doing this through permissions might be a far better option, though: things like the existing hooks for allowing editing could easily be expanded to disallow banned accounts even if they're still logged in (say, off a pre-existing session).

For full functionality, though, we want the ability to ban an IP address, too. That's a bit more complicated; the existing rate-limiting apps available for Django, and quite a few ban-related middlewares floating around, are mostly geared toward shutting down *all* requests from an IP, and we just want to disable those that create/alter data.

Probably the simplest solution would be a basic model with fields for an IP address and a couple of timestamps; that gets us the idea of "ban this IP from now to that future date" (since end-user IPs tend to be a bit dynamic), and is easy enough to check for from the relevant code.