https://bugzilla.wikimedia.org/show_bug.cgi?id=65850
--- Comment #6 from Peter Coombe <[email protected]> --- (In reply to Chris Steipp from comment #2) > At an architectural level, there's a couple of things that concern me: > * It seems like a violation of least privilege / separation of duty that > those who can view results always get 100% of them, and have to do their own > analysis to figure out which petition was signed. I'm not sure this is such a big deal for us, since there's only plans for one petition at the moment. Being able to filter the output by petition would be nice, but doesn't strike me as a security issue (unless we want to introduce per-petition rights, which will get complicated) > * If we get hit with "spam" (obviously not visible to the public, so low > value to the spamer.. but a user could easily write javascript to submit the > form 10M times), there's no way to delete it other than deleting rows in the > DB. That seems like it will come back to bite us. Based on this and feedback elsewhere I'm going to add rate-limiting, which should mitigate this. > * Similarly, if we notice abuse, the extension doesn't respect user blocks. It's going to be installed on the wikimediafoundation.org site, where editing is locked down so the only current blocks are of former staff. I think abuse is unlikely, but agree that it would be good to have some way to stop it just in case, and will look into adding a check for blocks. > * The extension doesn't integrate with abusefilter / spam blacklist or > Checkuser. The spam ones, again, we probably don't need. If someone starts > submitting death threats in the petition comments, then we will want > Checkuser integration. I guess we'll need this in order to determine who to block if it gets to that. Is there documentation somewhere on how to integrate with Checkuser? -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
