Setup

[Pierrot]

Upon install, phpBB comes with a few default groups (three of them are user groups) and a default set of roles. Additionally, the OneAll extension (to allow social login) adds a fourth user group.

How should we setup groups and permissions? The less we have, the simpler it is. I'm pretty sure that too much granularity may result in a nightmare to manage.

Basically, my personal point of view is that nothing should be hidden. Not all users should have the right to modify everything, but I would like that at least everyone is able to read and reply to existing topics, except of course those for which there is really no need to comment (they should be pretty rare though).

Other general rules that I have in mind (some of them are obvious):

• only administrators can post in General (this is reserved for announcements and stuff like that), but anyone can leave a comment
• only administrators and moderators can post in Forum managements, but anyone can leave a comment
• there may be some forums where new users should not be able to post new topic, namely Tutorials (and other ?), but other than that I believe they should have the right to do it.

Discussion is open.

[TrianguloY]

Administrators and moderators can be left as they are now.
About normal users groups, it depends on how we want to address spam.
The simplest solution is to have only one normal users group ('registered user' for example) with the expected minimum necessary permissions. Once you register, you can post/comment where applicable.
An alternative solution (the most common one I think) is to have two separate user groups, the previous one and another 'new users'. This second default group should have very limited permissions, perhaps only comment on the support category and without attachments, and once they create 5 posts (or another objective we choose) they are automatically moved to the previous and less restricted group.
The third and more restrictive approach is to have manual approval, in case spam becomes a real issue. This way the 'new users' group should only have permission to comment in a 'welcome' subforum, and should be manually updated by moderators/administrators.

I think we can start with the first approach, perhaps in the future move to the second one, and only if strictly necessary think about the third.

[Pierrot]

The "new member post limit" is currently set to 3, but if possible I would prefer that new users can create topics as soon as they register. The reason is that if someone register to get some help, he/she needs to create a topic.

I agree with you, lets start with the first approach and see how it goes. I'm not too worried about spam at the moment because I'm not too sure that there will be a lot of members

[TrianguloY]

The "new member post limit" is now set to 0, and so the first approach is active.
To be edited in the future if necessary.

[Pierrot]

Ok. This is also possible to modify forum permissions to allow posting for new users. This is what I did at the beginning (except for tutorials).

[juwlz]

The "new member post limit" is now set to 0, and so the first approach is active.
To be edited in the future if necessary.

I'm not sure that's working as intended. I'm getting notifications (because I've enabled them) that Pierrox's posts need approval

Edit - scratch that - I was misled by the email address used for the notifications.

[Pierrot]

Oh sorry, that's probably me making experiments with notifications, I registered a new user with about the same name only to mention myself and test web push notifications.

[TrianguloY]

I updated the permissions of the 'support' subforum to 'standard access' for users. (they still had the default) This will disable the manual approval of posts.
Currently the permissions should be so that all forums have standard access except subforums in 'general', which have 'read only access' with ability to reply to existing posts.

Also, I've seen that creating polls is enabled only on 'feature suggestions' and 'other discussions'. I understand those forums are the more likely to have polls, but perhaps it should be a good idea to enable it in the others too, to have consistent permissions.

[Pierrot]

That's ok for me.

[F43nd1r]

Looks like we've got some spam bots already. Maybe we should reconsider this

[TrianguloY]

I'm afraid yes. There are currently 120 members, and almost half of them seem bots. (We should probably delete them now, I don't think there are doubts about normal or bot user, the usernames and emails seems randomized).

So it seems that the captcha of the registration is not very effective, maybe we can also consider using a different one?

[TrianguloY]

I deleted some spam users via the inactive menu, which allows to mass delete multiple users (they were obviously spam accounts). But there are still a lot of other non-inactive users that need to be deleted manually one by one (or I couldn't find a better way other than doing a search query, which is not useful because the usernames/ips/emails are more or less randomized).
The main problem here is with user registration: the captcha seems useless, we need to change it.
But it seems the problem is a very common one on forums, so it seems it is time to enable the 'review first post' method.

[F43nd1r]

https://www.phpbb.com/customise/db/exte ... orum_spam/ is the only free anti-spam extension I could find.

[F43nd1r]

I've switched the captcha to Q&A, which should stop the current wave of registrations. Maybe reCaptcha would be a better long-term solution @Pierrot?

[Pierrot]

Thanks.
I thought reCaptcha wasn't free, I'll check.

[Pierrot]

I setup reCaptcha v2 (v3 doesn't work with phpBB 3.2 yet). I only had to fill a few settings.
Let's see how it performs.

[F43nd1r]

I'm banning bots every day now. Do we have any other spam protection measures?

[Pierrot]

Me too. I don't see anything better than recaptcha. I haven't checked whether bots were connecting through a normal account or through the social login plugin.

[TrianguloY]

Same here (although some are clever!). Perhaps it is time for manual approving? We seem active enough to activate real users in less than a day or so when asking.

I'll try to check how the banned users were connecting, but I'm a bit new with this moderation panel.

[F43nd1r]

How about https://www.phpbb.com/customise/db/exte ... orum_spam/?

[F43nd1r]

In general I'm also in favor of manual approval for new users. Maybe we could get some of the regulars to help us as moderators?

[TrianguloY]

@Pierrot New measures are needed, almost everyday there is a spam post now.
I checked and it doesn't seem the bots are using the social connection, just the normal registration.

[TrianguloY]

Ok, I enabled the manual approving for new members.
From now on, posts from new members will not be show publicly, and will need to be manually approved (not sure if admins only or moderators too).
Also, once the user has one post approved, it should automatically be able to post without approval...but I tested this and it didn't work so well, theoretically the 'newly registered user' group should be removed, but it seems it isn't. Can be removed from admins manually if necessary in the meantime.

Let's see what happens now, it can be changed if necessary.

[Edit: not sure what will happen with the OneAll extension, needs more testing]

[Pierrot]

Thank you for this.
It's probably more work to fool social logins, so at least I hope it will be safer on this side.

[juwlz]

Sounds like a plan

[F43nd1r]

I've disapproved close to 200 spam posts today. All of them were so easy to recognize, so these are definetly bots.

@Pierrot would it be possible to update to phpBB 3.3? It includes support for "Invisible reCAPTCHA", which isn't broken yet (the currently active reCaptcha v2 is obviously not a barrier for bots anymore).