It's too easy to create a group on Mozillians.org

VERIFIED FIXED

Status

Participation Infrastructure
Phonebook
P3
normal
VERIFIED FIXED
6 years ago
4 years ago

People

(Reporter: felix, Unassigned)

Tracking

Details

(Whiteboard: [infrasec:dos])

(Reporter)

Description

6 years ago
With any POST request to edit profiles, I can end up creating groups. This might seem sane at first, but I can, using some script, send several requests each causing the creation of a large number of groups. From what I can tell, this definitely hogs up CPU on the server as it takes on the order of minutes to create ~10000 groups.

See:
https://mozillians.org/en-US/u/6d7abdc827
and making groups?page=xxx meaningless
https://mozillians.org/en-US/groups?page=530
I would disagree that this was a higher priority if we only allowed Vouched Mozillians to add groups, but we allow non-vouched users (possible spammers) to do so too.

We should look into limiting the number of groups users can create if they're non-vouched.
Severity: major → normal
Priority: -- → P2
Target Milestone: --- → 1.3
(Reporter)

Updated

6 years ago
Whiteboard: [infrasec:dos]

Updated

6 years ago
Component: mozillians.org → Phonebook
Product: Websites → Community Tools
QA Contact: mozillians-org → phonebook
Target Milestone: 1.3 → ---
Version: unspecified → other
Let's do this:

* Restrict group creation to vouched users
* Attach a creator to the group (if it's not already there)

This will probably prevent the spam issue contemplated, and give us a way to clean up and ban if the issue ever surfaces.
Priority: P2 → P3
Depends on: 936569
Depends on: 938184
The suggestions in comment 2 have now been implemented. Creating groups is done explicitly, and elegantly through a new form. Each new group is associated with a curator, who is the creator.

Marking as resolved, thanks to the excellent work in bug 936569.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
QA Verified on stage and prod.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.