** Information type changed from Private to Public Security -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/695192
Title: self-registration and avoiding spam problems and improvements Status in Mahara ePortfolio: Fix Released Bug description: Hello, This bug is marked as security vulnerability so that it stays private and not alert everybody to the problem until it is fixed. Recently, we have had a number of spammers misusing Mahara sites for their activities. They create manual accounts and then views in which they promote their links. While trying to come up with a solution, I updated the wiki after talking to Francois: http://wiki.mahara.org/Site_Administrator_Guide/Configure_site_options However, I also remembered that if I have a separate institution to the standard one and allow registration that I as institution administrator am asked whether I allow the requestor into my institution or not. We thought that this could solve the problem interim: Only allow people to register in institutions but the default one because then an administrator can screen them beforehand. While that is true, once a person has created an account and still while waiting for acceptance into an institution, he already has a full Mahara account and is put into the default institution even when it does not allow registration. This is a potential risk for any Mahara site with self-registration that anybody could create accounts and use it even when institutions are set up to prevent people from just having accounts without a corresponding institution. As I can't get rid of the default institution on demo.mahara.org I could not test what happens then. If I allow registration for an institution but the default one, the institution administrator receives a notification to approve or decline membership. That feature should be available for the default institution as well so that the administrator can choose to moderate. The following is an idea of what to change. 1. Add a checkbox (and the functionality) to the institution admin page for moderating requests to join an institution, e.g. next to "Registration allowed" to any institution be it default or created manually. 2. If self-registration is allowed and an institution must be chosen, the account should not be activated before the institution administrator gave his OK. That should prevent users from using Mahara in a default institution. 3. Thus, don't put users in the default institution if they have not yet received their acceptance into another institution. Currently, that is possible even when registration is disabled for the standard institution. 4. Re-think "public views". E.g. you may wish to have a site with self-registration, e.g. mahara.org, but to avoid manual spam creation, we may wish to disallow public views. However, that would mean that nobody could have public views which could be rather drastic as most users are legit. E.g. allow the administrator (site and institution admin) to make any view public upon request from a view owner. Cheers Kristina P.S. I marked this 1.4alpha1 because this affects MyPortfolio and possibly also how to put people in institutions there. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/695192/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
