[spam] Allow admin to create account on behalf of new users

NEW
Unassigned

Status

--
enhancement
2 years ago
2 years ago

People

(Reporter: Jeremie, Unassigned)

Tracking

(Blocks: 1 bug, {in-triage})

Details

(Whiteboard: [specification][type:feature])

(Reporter)

Description

2 years ago
What problem would this feature solve?
======================================
In case a spam attack we are turning account creation off to mitigate the attack, sometimes for several days. In such case we need to be able to create new account for legitimate user that could ask admin to help them.

Who has this problem?
=====================
All visitors to MDN

How do you know that the users identified above have this problem?
==================================================================
Currently, when account creation is off the process to have a legitimate user create a new account is the following:

* The user reach out to an Admin
* The admin turn on account creation
* The admin notify the user that he has Xmin to create its account
* Once the user acknowledge the account is created or once Xmin
  has pass, the admin turn off account creation.

How are the users identified above solving this problem now?
============================================================
This process is currently problematic as it is:

* Synchronous, user and admin have to do everything all together
* Unsafe, in the open window, spammer can catch up and resume
  their attack


Do you have any suggestions for solving the problem? Please explain in detail.
==============================================================================
Having Admin able to create an account through the admin interface on behalf of a user would allow asynchronous work (better for the admin that can organize the work around that) and won't let an opportunity for spammer to get in.

Is there anything else we should know?
======================================
The issue is that the only Auth mechanism available on MDN require a user interaction with a third party mechanism (Persona or GitHub). That is a serious concern that needs to be discuss before any implementation attempt.
(Reporter)

Updated

2 years ago
Blocks: 1109994
One solution would be the "request an account" workflow used by startups in beta testing:

* Visitor fills out a request form
* Admin gets an email, clicks the "invite visitor" link
* An email is sent to the user containing an invite URL
* The visitor clicks the link, and goes through signup

The work would be:
* Decide the relative priority with opening account creation to all (work can't be done in parallel with current resources)
* Design and create a request form
* Create an admin email
* Create an distribution list for new account admins
* Create a new database table for invite codes
* Create a new Django admin view for invite codes
* Create a landing page for invite URLs (happy path, sad path, denial of service path)
* Hack the account signup to work around registration_disabled flag
* Ensure strings are localizable, available on Pontoon

My quick estimate is 2-4 weeks.

If there is no public request form, then the Django admin would be used to create invite codes given an email address, and would save about a week.
Keywords: in-triage
You need to log in before you can comment on or make changes to this bug.