Modify

Opened 12 years ago

Closed 10 years ago

Last modified 10 years ago

#10092 closed enhancement (fixed)

Restrict allowed username

Reported by: Ryan J Ollos Owned by: Ryan J Ollos
Priority: normal Component: TracHacks
Severity: normal Keywords: user registration check
Cc: Steffen Hoffmann, Michael Renzmann Trac Release: 0.11

Description (last modified by Ryan J Ollos)

This ticket captures some discussion among otaku42, rjollos and hasienda regarding problems with certain usernames on t-h.o. Specifically, dev and one were pointed out to be problematic.

Some solutions were proposed:

  1. Prevent some common words from being used as usernames (e.g. admin).
  2. Minimum length for usernames.

It was also suggested that we might increase the min length for auto-wikification.

Some thought should also be given to how we will deal with improper usernames that we don't think of beforehand and preemptively blacklist. If we can confirm that they are really spam, then we just delete the accounts, but if they are not spam, perhaps we can just immediately contact the user and help them to change their username.

Attachments (1)

2012-01-02 Sanitized Email Thread.txt (2.6 KB) - added by Ryan J Ollos 12 years ago.

Download all attachments as: .zip

Change History (13)

Changed 12 years ago by Ryan J Ollos

comment:1 Changed 12 years ago by Steffen Hoffmann

Keywords: user registration check added

Thanks for capturing this.

The new user procedure has seen significant changes, however I've not yet implemented the REGEXP feature (#5295), that would come close to proposal no 1. A separate blacklist would certainly be preferred for that, or a dedicated wiki page.

Not implemented is valid for the "minimum length of username" requirement, but while this is a smart idea indeed, I don't remember such a requested until now.

comment:2 in reply to:  1 Changed 12 years ago by Ryan J Ollos

Replying to hasienda:

The new user procedure has seen significant changes, however I've not yet implemented the REGEXP feature (#5295), that would come close to proposal no 1. A separate blacklist would certainly be preferred for that, or a dedicated wiki page.

My initial thought is, I like the idea of the dedicated wiki page, patterned after the BadContent page.

comment:3 Changed 12 years ago by Ryan J Ollos

Cc: Steffen Hoffmann Michael Renzmann added; anonymous removed
Owner: changed from Steffen Hoffmann to Ryan J Ollos

Here are the current autowikify settings:

[autowikify]
exclude = plugin,release,macro,type,metatag,macro,script,patch,theme,integration,workflow,0.8,0.9,0.10,0.11,0.12,1.0,example,unsupported,ugly,tutorial,translation,theme,user,test,broken,news,add,alpha,beta
minimum_length = 3

We could set minumum_length to 4, or add dev and one to the exclude field.

Thoughts?

comment:4 Changed 12 years ago by Steffen Hoffmann

+1 for raising the bar even to 5 characters --> minimum_length = 5

So we can delete "add", "type", "ugly" and more from the current list afterwards and forget about the words we discussed earlier too. Seems like most branch version numbers fall into the black-listed category, and I think that's fine, isn't it?

Some more candidates for the blacklist (applies to an upcoming blacklist for AccountManager as well):

  • admin
  • smart

From looking through current wiki page index I see, there is a lot more, especially regarding user names. But this is a different topic, not strictly related to auto-wikification.

There are just some suggestion on invalid usernames:

  • less than 4 chars, possibly more - handle exceptions (well-known hacker acronyms etc.) on request to admins
  • numbers-only
  • numbers mixed with (common) special chars like '#', '-', '_'
  • bad language - exceptions like above, if pre-existing

I've not made up my mind on Unicode names. Should we allow them at all? They may introduce a bunch of problems, but OTOH Unicode support is strong in Trac >= 0.12, so we could feel forced to fix plugins instead, as we get aware of them. Hm, the longer I think it's becoming more of a challenge (good).

comment:5 Changed 12 years ago by Steffen Hoffmann

Just started to edit a username policy proposal wiki page.

comment:6 Changed 12 years ago by Steffen Hoffmann

Status update:

Manual review of all user names (wiki pages tagged with user) beginning with [A-Za] done, stopped now - waiting for some feedback on if/how to proceed with this

comment:7 Changed 12 years ago by Steffen Hoffmann

Status update:

With REGEXP available since [11960] there are blacklisting and moderation left for implementation so far. Anyone willing to figure out the correct regular expression for no. 2 + 3 in the list of requirements?

comment:8 in reply to:  5 Changed 11 years ago by Steffen Hoffmann

Replying to hasienda:

Just started to edit a username policy proposal wiki page.

I'll get more serious about this after updating AcctMgr to v0.5. Today I've seen a SPAM monitoring entry of a stopped attempt to spam WikiStart from a successfully registered account. So I decided to try deleting that account from a button provided by SpamFilterPlugin, but before I could, someone deleted all SPAM entries. So I did it from users admin panel, while creating a record in the user clearance page mentioned above - as (invisible) wiki comment for now. I'll take this and further records for creating a blacklist later on.

comment:9 Changed 10 years ago by Dirk Stöcker

I'd think this ticket and the user clearence can be dropped with the current mechanisms. Unused user names will vanish when cleaning is finished. All the remaining ones not matching the new rules are or have been used, so we can't remove them really.

comment:10 in reply to:  9 ; Changed 10 years ago by Steffen Hoffmann

Resolution: fixed
Status: newclosed

Replying to stoecker:

I'd think this ticket and the user clearence can be dropped with the current mechanisms. Unused user names will vanish when cleaning is finished. All the remaining ones not matching the new rules are or have been used, so we can't remove them really.

Provided, that we eliminate unsolicited content that could make spammer accounts look like valid ones, yes. But I'm still willing to add the last missing feature (account name blacklisting) for an even more convenient solution of this ticket.

Besides, nothing prevents us from changing UIDs of accounts, that don't fit our policy, if we reach agreement with the account owner.

comment:11 in reply to:  10 Changed 10 years ago by Ryan J Ollos

Description: modified (diff)

comment:12 in reply to:  10 Changed 10 years ago by Ryan J Ollos

Replying to hasienda:

But I'm still willing to add the last missing feature (account name blacklisting) for an even more convenient solution of this ticket.

Yeah I think that feature is still useful. Even after we eliminate accounts you've identified on the SiteUpgradeProposal/UserClearance page, such as Anonymous, there's nothing as far as I know to keep someone from creating an account with the same name again.

Last edited 10 years ago by Ryan J Ollos (previous) (diff)

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.