mahara-contributors team mailing list archive

Thread
Date
[Bug 695192] Re: self-registration and avoiding spam problems and improvements

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <695192@xxxxxxxxxxxxxxxxxx>
Date: Mon, 14 Apr 2014 04:15:35 -0000
Reply-to: Bug 695192 <695192@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Information type changed from Private to Public Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/695192

Title:
  self-registration and avoiding spam problems and improvements

Status in Mahara ePortfolio:
  Fix Released

Bug description:
  Hello,

  This bug is marked as security vulnerability so that it stays private
  and not alert everybody to the problem until it is fixed.

  Recently, we have had a number of spammers misusing Mahara sites for
  their activities. They create manual accounts and then views in which
  they promote their links. While trying to come up with a solution, I
  updated the wiki after talking to Francois:
  http://wiki.mahara.org/Site_Administrator_Guide/Configure_site_options

  However, I also remembered that if I have a separate institution to
  the standard one and allow registration that I as institution
  administrator am asked whether I allow the requestor into my
  institution or not. We thought that this could solve the problem
  interim: Only allow people to register in institutions but the default
  one because then an administrator can screen them beforehand. While
  that is true, once a person has created an account and still while
  waiting for acceptance into an institution, he already has a full
  Mahara account and is put into the default institution even when it
  does not allow registration.

  This is a potential risk for any Mahara site with self-registration
  that anybody could create accounts and use it even when institutions
  are set up to prevent people from just having accounts without a
  corresponding institution. As I can't get rid of the default
  institution on demo.mahara.org I could not test what happens then.

  If I allow registration for an institution but the default one, the
  institution administrator receives a notification to approve or
  decline membership. That feature should be available for the default
  institution as well so that the administrator can choose to moderate.

  The following is an idea of what to change.

  1. Add a checkbox (and the functionality) to the institution admin page for moderating requests to join an institution, e.g. next to "Registration allowed" to any institution be it default or created manually.
  2. If self-registration is allowed and an institution must be chosen, the account should not be activated before the institution administrator gave his OK. That should prevent users from using Mahara in a default institution.
  3. Thus, don't put users in the default institution if they have not yet received their acceptance into another institution. Currently, that is possible even when registration is disabled for the standard institution.
  4. Re-think "public views". E.g. you may wish to have a site with self-registration, e.g. mahara.org, but to avoid manual spam creation, we may wish to disallow public views. However, that would mean that nobody could have public views which could be rather drastic as most users are legit. E.g. allow the administrator (site and institution admin) to make any view public upon request from a view owner.

  Cheers
  Kristina

  P.S. I marked this 1.4alpha1 because this affects MyPortfolio and
  possibly also how to put people in institutions there.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/695192/+subscriptions