With any POST request to edit profiles, I can end up creating groups. This might seem sane at first, but I can, using some script, send several requests each causing the creation of a large number of groups. From what I can tell, this definitely hogs up CPU on the server as it takes on the order of minutes to create ~10000 groups. See: https://mozillians.org/en-US/u/6d7abdc827 and making groups?page=xxx meaningless https://mozillians.org/en-US/groups?page=530
I would disagree that this was a higher priority if we only allowed Vouched Mozillians to add groups, but we allow non-vouched users (possible spammers) to do so too. We should look into limiting the number of groups users can create if they're non-vouched.
Let's do this: * Restrict group creation to vouched users * Attach a creator to the group (if it's not already there) This will probably prevent the spam issue contemplated, and give us a way to clean up and ban if the issue ever surfaces.
The suggestions in comment 2 have now been implemented. Creating groups is done explicitly, and elegantly through a new form. Each new group is associated with a curator, who is the creator. Marking as resolved, thanks to the excellent work in bug 936569.
QA Verified on stage and prod.