Page 1 of 1

Setup

Posted: Fri Jan 25, 2019 7:57 am
by Pierrot
Upon install, phpBB comes with a few default groups (three of them are user groups) and a default set of roles. Additionally, the OneAll extension (to allow social login) adds a fourth user group.

How should we setup groups and permissions? The less we have, the simpler it is. I'm pretty sure that too much granularity may result in a nightmare to manage.

Basically, my personal point of view is that nothing should be hidden. Not all users should have the right to modify everything, but I would like that at least everyone is able to read and reply to existing topics, except of course those for which there is really no need to comment (they should be pretty rare though).

Other general rules that I have in mind (some of them are obvious):
  • only administrators can post in General (this is reserved for announcements and stuff like that), but anyone can leave a comment
  • only administrators and moderators can post in Forum managements, but anyone can leave a comment
  • there may be some forums where new users should not be able to post new topic, namely Tutorials (and other ?), but other than that I believe they should have the right to do it.
Discussion is open.

Re: Setup

Posted: Fri Jan 25, 2019 9:07 am
by TrianguloY
Administrators and moderators can be left as they are now.
About normal users groups, it depends on how we want to address spam.
The simplest solution is to have only one normal users group ('registered user' for example) with the expected minimum necessary permissions. Once you register, you can post/comment where applicable.
An alternative solution (the most common one I think) is to have two separate user groups, the previous one and another 'new users'. This second default group should have very limited permissions, perhaps only comment on the support category and without attachments, and once they create 5 posts (or another objective we choose) they are automatically moved to the previous and less restricted group.
The third and more restrictive approach is to have manual approval, in case spam becomes a real issue. This way the 'new users' group should only have permission to comment in a 'welcome' subforum, and should be manually updated by moderators/administrators.

I think we can start with the first approach, perhaps in the future move to the second one, and only if strictly necessary think about the third.

Re: Setup

Posted: Fri Jan 25, 2019 3:18 pm
by Pierrot
The "new member post limit" is currently set to 3, but if possible I would prefer that new users can create topics as soon as they register. The reason is that if someone register to get some help, he/she needs to create a topic.

I agree with you, lets start with the first approach and see how it goes. I'm not too worried about spam at the moment because I'm not too sure that there will be a lot of members :?

Re: Setup

Posted: Fri Jan 25, 2019 6:29 pm
by TrianguloY
The "new member post limit" is now set to 0, and so the first approach is active.
To be edited in the future if necessary.

Re: Setup

Posted: Sat Jan 26, 2019 3:55 pm
by Pierrot
Ok. This is also possible to modify forum permissions to allow posting for new users. This is what I did at the beginning (except for tutorials).

Re: Setup

Posted: Mon Jan 28, 2019 8:58 am
by juwlz
TrianguloY wrote:
Fri Jan 25, 2019 6:29 pm
The "new member post limit" is now set to 0, and so the first approach is active.
To be edited in the future if necessary.
I'm not sure that's working as intended. I'm getting notifications (because I've enabled them) that Pierrox's posts need approval :mrgreen:

Edit - scratch that - I was misled by the email address used for the notifications.

Re: Setup

Posted: Mon Jan 28, 2019 9:06 am
by Pierrot
Oh sorry, that's probably me making experiments with notifications, I registered a new user with about the same name only to mention myself and test web push notifications.

Re: Setup

Posted: Tue Jan 29, 2019 9:28 am
by TrianguloY
I updated the permissions of the 'support' subforum to 'standard access' for users. (they still had the default) This will disable the manual approval of posts.
Currently the permissions should be so that all forums have standard access except subforums in 'general', which have 'read only access' with ability to reply to existing posts.

Also, I've seen that creating polls is enabled only on 'feature suggestions' and 'other discussions'. I understand those forums are the more likely to have polls, but perhaps it should be a good idea to enable it in the others too, to have consistent permissions.

Re: Setup

Posted: Wed Jan 30, 2019 4:03 am
by Pierrot
That's ok for me.

Re: Setup

Posted: Sun Feb 24, 2019 8:53 am
by F43nd1r
Looks like we've got some spam bots already. Maybe we should reconsider this

Re: Setup

Posted: Sun Feb 24, 2019 9:04 am
by TrianguloY
I'm afraid yes. There are currently 120 members, and almost half of them seem bots. (We should probably delete them now, I don't think there are doubts about normal or bot user, the usernames and emails seems randomized).

So it seems that the captcha of the registration is not very effective, maybe we can also consider using a different one?

Re: Setup

Posted: Sun Feb 24, 2019 10:39 am
by TrianguloY
I deleted some spam users via the inactive menu, which allows to mass delete multiple users (they were obviously spam accounts). But there are still a lot of other non-inactive users that need to be deleted manually one by one (or I couldn't find a better way other than doing a search query, which is not useful because the usernames/ips/emails are more or less randomized).
The main problem here is with user registration: the captcha seems useless, we need to change it.
But it seems the problem is a very common one on forums, so it seems it is time to enable the 'review first post' method.

Re: Setup

Posted: Sun Feb 24, 2019 10:49 am
by F43nd1r
https://www.phpbb.com/customise/db/exte ... orum_spam/ is the only free anti-spam extension I could find.

Re: Setup

Posted: Sun Feb 24, 2019 11:07 am
by F43nd1r
I've switched the captcha to Q&A, which should stop the current wave of registrations. Maybe reCaptcha would be a better long-term solution @Pierrot?

Re: Setup

Posted: Sun Feb 24, 2019 6:09 pm
by Pierrot
Thanks.
I thought reCaptcha wasn't free, I'll check.

Re: Setup

Posted: Sun Feb 24, 2019 6:30 pm
by Pierrot
I setup reCaptcha v2 (v3 doesn't work with phpBB 3.2 yet). I only had to fill a few settings.
Let's see how it performs.

Re: Setup

Posted: Mon Aug 12, 2019 11:19 am
by F43nd1r
I'm banning bots every day now. Do we have any other spam protection measures?

Re: Setup

Posted: Wed Aug 14, 2019 8:07 am
by Pierrot
Me too. I don't see anything better than recaptcha. I haven't checked whether bots were connecting through a normal account or through the social login plugin.

Re: Setup

Posted: Thu Aug 15, 2019 4:45 pm
by TrianguloY
Same here (although some are clever!). Perhaps it is time for manual approving? We seem active enough to activate real users in less than a day or so when asking.

I'll try to check how the banned users were connecting, but I'm a bit new with this moderation panel.

Re: Setup

Posted: Fri Aug 16, 2019 11:50 pm
by F43nd1r

Re: Setup

Posted: Fri Aug 16, 2019 11:51 pm
by F43nd1r
In general I'm also in favor of manual approval for new users. Maybe we could get some of the regulars to help us as moderators?

Re: Setup

Posted: Sat Sep 07, 2019 9:43 pm
by TrianguloY
@Pierrot New measures are needed, almost everyday there is a spam post now.
I checked and it doesn't seem the bots are using the social connection, just the normal registration.

Re: Setup

Posted: Sun Sep 08, 2019 1:30 pm
by TrianguloY
Ok, I enabled the manual approving for new members.
From now on, posts from new members will not be show publicly, and will need to be manually approved (not sure if admins only or moderators too).
Also, once the user has one post approved, it should automatically be able to post without approval...but I tested this and it didn't work so well, theoretically the 'newly registered user' group should be removed, but it seems it isn't. Can be removed from admins manually if necessary in the meantime.

Let's see what happens now, it can be changed if necessary.

[Edit: not sure what will happen with the OneAll extension, needs more testing]

Re: Setup

Posted: Sun Sep 08, 2019 2:45 pm
by Pierrot
Thank you for this.
It's probably more work to fool social logins, so at least I hope it will be safer on this side.

Re: Setup

Posted: Sun Sep 08, 2019 10:58 pm
by juwlz
Sounds like a plan

Re: Setup

Posted: Tue Jan 21, 2020 2:01 am
by F43nd1r
I've disapproved close to 200 spam posts today. All of them were so easy to recognize, so these are definetly bots.

@Pierrot would it be possible to update to phpBB 3.3? It includes support for "Invisible reCAPTCHA", which isn't broken yet (the currently active reCaptcha v2 is obviously not a barrier for bots anymore).