700718 - It's too easy to create a group on Mozillians.org

Status: VERIFIED FIXED

(Participation Infrastructure :: Phonebook, defect, P3)

Description

[Felix Fung (:felix)]

With any POST request to edit profiles, I can end up creating groups. This might seem sane at first, but I can, using some script, send several requests each causing the creation of a large number of groups. From what I can tell, this definitely hogs up CPU on the server as it takes on the order of minutes to create ~10000 groups.

See:
https://mozillians.org/en-US/u/6d7abdc827
and making groups?page=xxx meaningless
https://mozillians.org/en-US/groups?page=530

Comment 1

[Aakash Desai [:aakashd]]

I would disagree that this was a higher priority if we only allowed Vouched Mozillians to add groups, but we allow non-vouched users (possible spammers) to do so too.

We should look into limiting the number of groups users can create if they're non-vouched.

Comment 2

[Justin Crawford [:hoosteeno] [:jcrawford]]

Let's do this:

* Restrict group creation to vouched users
* Attach a creator to the group (if it's not already there)

This will probably prevent the spam issue contemplated, and give us a way to clean up and ban if the issue ever surfaces.

Comment 3

[William Reynolds [:williamr]]

The suggestions in comment 2 have now been implemented. Creating groups is done explicitly, and elegantly through a new form. Each new group is associated with a curator, who is the creator.

Marking as resolved, thanks to the excellent work in bug 936569.

Comment 4

[Vuyisile Ndlovu [:terrameijar]]

QA Verified on stage and prod.