Setup

The way rights are managed
Post Reply
User avatar
Pierrot
Site Admin
Posts: 181
Joined: Wed Jan 23, 2019 12:18 pm
Location: French Alps

Setup

Post by Pierrot » Fri Jan 25, 2019 7:57 am

Upon install, phpBB comes with a few default groups (three of them are user groups) and a default set of roles. Additionally, the OneAll extension (to allow social login) adds a fourth user group.

How should we setup groups and permissions? The less we have, the simpler it is. I'm pretty sure that too much granularity may result in a nightmare to manage.

Basically, my personal point of view is that nothing should be hidden. Not all users should have the right to modify everything, but I would like that at least everyone is able to read and reply to existing topics, except of course those for which there is really no need to comment (they should be pretty rare though).

Other general rules that I have in mind (some of them are obvious):
  • only administrators can post in General (this is reserved for announcements and stuff like that), but anyone can leave a comment
  • only administrators and moderators can post in Forum managements, but anyone can leave a comment
  • there may be some forums where new users should not be able to post new topic, namely Tutorials (and other ?), but other than that I believe they should have the right to do it.
Discussion is open.

User avatar
TrianguloY
Posts: 109
Joined: Thu Jan 24, 2019 9:46 am

Re: Setup

Post by TrianguloY » Fri Jan 25, 2019 9:07 am

Administrators and moderators can be left as they are now.
About normal users groups, it depends on how we want to address spam.
The simplest solution is to have only one normal users group ('registered user' for example) with the expected minimum necessary permissions. Once you register, you can post/comment where applicable.
An alternative solution (the most common one I think) is to have two separate user groups, the previous one and another 'new users'. This second default group should have very limited permissions, perhaps only comment on the support category and without attachments, and once they create 5 posts (or another objective we choose) they are automatically moved to the previous and less restricted group.
The third and more restrictive approach is to have manual approval, in case spam becomes a real issue. This way the 'new users' group should only have permission to comment in a 'welcome' subforum, and should be manually updated by moderators/administrators.

I think we can start with the first approach, perhaps in the future move to the second one, and only if strictly necessary think about the third.

User avatar
Pierrot
Site Admin
Posts: 181
Joined: Wed Jan 23, 2019 12:18 pm
Location: French Alps

Re: Setup

Post by Pierrot » Fri Jan 25, 2019 3:18 pm

The "new member post limit" is currently set to 3, but if possible I would prefer that new users can create topics as soon as they register. The reason is that if someone register to get some help, he/she needs to create a topic.

I agree with you, lets start with the first approach and see how it goes. I'm not too worried about spam at the moment because I'm not too sure that there will be a lot of members :?

User avatar
TrianguloY
Posts: 109
Joined: Thu Jan 24, 2019 9:46 am

Re: Setup

Post by TrianguloY » Fri Jan 25, 2019 6:29 pm

The "new member post limit" is now set to 0, and so the first approach is active.
To be edited in the future if necessary.

User avatar
Pierrot
Site Admin
Posts: 181
Joined: Wed Jan 23, 2019 12:18 pm
Location: French Alps

Re: Setup

Post by Pierrot » Sat Jan 26, 2019 3:55 pm

Ok. This is also possible to modify forum permissions to allow posting for new users. This is what I did at the beginning (except for tutorials).

juwlz
Posts: 19
Joined: Thu Jan 24, 2019 6:51 pm
Location: UK

Re: Setup

Post by juwlz » Mon Jan 28, 2019 8:58 am

TrianguloY wrote:
Fri Jan 25, 2019 6:29 pm
The "new member post limit" is now set to 0, and so the first approach is active.
To be edited in the future if necessary.
I'm not sure that's working as intended. I'm getting notifications (because I've enabled them) that Pierrox's posts need approval :mrgreen:

Edit - scratch that - I was misled by the email address used for the notifications.

User avatar
Pierrot
Site Admin
Posts: 181
Joined: Wed Jan 23, 2019 12:18 pm
Location: French Alps

Re: Setup

Post by Pierrot » Mon Jan 28, 2019 9:06 am

Oh sorry, that's probably me making experiments with notifications, I registered a new user with about the same name only to mention myself and test web push notifications.

User avatar
TrianguloY
Posts: 109
Joined: Thu Jan 24, 2019 9:46 am

Re: Setup

Post by TrianguloY » Tue Jan 29, 2019 9:28 am

I updated the permissions of the 'support' subforum to 'standard access' for users. (they still had the default) This will disable the manual approval of posts.
Currently the permissions should be so that all forums have standard access except subforums in 'general', which have 'read only access' with ability to reply to existing posts.

Also, I've seen that creating polls is enabled only on 'feature suggestions' and 'other discussions'. I understand those forums are the more likely to have polls, but perhaps it should be a good idea to enable it in the others too, to have consistent permissions.

User avatar
Pierrot
Site Admin
Posts: 181
Joined: Wed Jan 23, 2019 12:18 pm
Location: French Alps

Re: Setup

Post by Pierrot » Wed Jan 30, 2019 4:03 am

That's ok for me.

User avatar
F43nd1r
Posts: 50
Joined: Thu Jan 24, 2019 1:20 pm

Re: Setup

Post by F43nd1r » Sun Feb 24, 2019 8:53 am

Looks like we've got some spam bots already. Maybe we should reconsider this

User avatar
TrianguloY
Posts: 109
Joined: Thu Jan 24, 2019 9:46 am

Re: Setup

Post by TrianguloY » Sun Feb 24, 2019 9:04 am

I'm afraid yes. There are currently 120 members, and almost half of them seem bots. (We should probably delete them now, I don't think there are doubts about normal or bot user, the usernames and emails seems randomized).

So it seems that the captcha of the registration is not very effective, maybe we can also consider using a different one?

User avatar
TrianguloY
Posts: 109
Joined: Thu Jan 24, 2019 9:46 am

Re: Setup

Post by TrianguloY » Sun Feb 24, 2019 10:39 am

I deleted some spam users via the inactive menu, which allows to mass delete multiple users (they were obviously spam accounts). But there are still a lot of other non-inactive users that need to be deleted manually one by one (or I couldn't find a better way other than doing a search query, which is not useful because the usernames/ips/emails are more or less randomized).
The main problem here is with user registration: the captcha seems useless, we need to change it.
But it seems the problem is a very common one on forums, so it seems it is time to enable the 'review first post' method.

User avatar
F43nd1r
Posts: 50
Joined: Thu Jan 24, 2019 1:20 pm

Re: Setup

Post by F43nd1r » Sun Feb 24, 2019 10:49 am

https://www.phpbb.com/customise/db/exte ... orum_spam/ is the only free anti-spam extension I could find.

User avatar
F43nd1r
Posts: 50
Joined: Thu Jan 24, 2019 1:20 pm

Re: Setup

Post by F43nd1r » Sun Feb 24, 2019 11:07 am

I've switched the captcha to Q&A, which should stop the current wave of registrations. Maybe reCaptcha would be a better long-term solution @Pierrot?

User avatar
Pierrot
Site Admin
Posts: 181
Joined: Wed Jan 23, 2019 12:18 pm
Location: French Alps

Re: Setup

Post by Pierrot » Sun Feb 24, 2019 6:09 pm

Thanks.
I thought reCaptcha wasn't free, I'll check.

User avatar
Pierrot
Site Admin
Posts: 181
Joined: Wed Jan 23, 2019 12:18 pm
Location: French Alps

Re: Setup

Post by Pierrot » Sun Feb 24, 2019 6:30 pm

I setup reCaptcha v2 (v3 doesn't work with phpBB 3.2 yet). I only had to fill a few settings.
Let's see how it performs.

User avatar
F43nd1r
Posts: 50
Joined: Thu Jan 24, 2019 1:20 pm

Re: Setup

Post by F43nd1r » Mon Aug 12, 2019 11:19 am

I'm banning bots every day now. Do we have any other spam protection measures?

User avatar
Pierrot
Site Admin
Posts: 181
Joined: Wed Jan 23, 2019 12:18 pm
Location: French Alps

Re: Setup

Post by Pierrot » Wed Aug 14, 2019 8:07 am

Me too. I don't see anything better than recaptcha. I haven't checked whether bots were connecting through a normal account or through the social login plugin.

User avatar
TrianguloY
Posts: 109
Joined: Thu Jan 24, 2019 9:46 am

Re: Setup

Post by TrianguloY » Thu Aug 15, 2019 4:45 pm

Same here (although some are clever!). Perhaps it is time for manual approving? We seem active enough to activate real users in less than a day or so when asking.

I'll try to check how the banned users were connecting, but I'm a bit new with this moderation panel.

User avatar
F43nd1r
Posts: 50
Joined: Thu Jan 24, 2019 1:20 pm

Re: Setup

Post by F43nd1r » Fri Aug 16, 2019 11:50 pm


User avatar
F43nd1r
Posts: 50
Joined: Thu Jan 24, 2019 1:20 pm

Re: Setup

Post by F43nd1r » Fri Aug 16, 2019 11:51 pm

In general I'm also in favor of manual approval for new users. Maybe we could get some of the regulars to help us as moderators?

User avatar
TrianguloY
Posts: 109
Joined: Thu Jan 24, 2019 9:46 am

Re: Setup

Post by TrianguloY » Sat Sep 07, 2019 9:43 pm

@Pierrot New measures are needed, almost everyday there is a spam post now.
I checked and it doesn't seem the bots are using the social connection, just the normal registration.

User avatar
TrianguloY
Posts: 109
Joined: Thu Jan 24, 2019 9:46 am

Re: Setup

Post by TrianguloY » Sun Sep 08, 2019 1:30 pm

Ok, I enabled the manual approving for new members.
From now on, posts from new members will not be show publicly, and will need to be manually approved (not sure if admins only or moderators too).
Also, once the user has one post approved, it should automatically be able to post without approval...but I tested this and it didn't work so well, theoretically the 'newly registered user' group should be removed, but it seems it isn't. Can be removed from admins manually if necessary in the meantime.

Let's see what happens now, it can be changed if necessary.

[Edit: not sure what will happen with the OneAll extension, needs more testing]

User avatar
Pierrot
Site Admin
Posts: 181
Joined: Wed Jan 23, 2019 12:18 pm
Location: French Alps

Re: Setup

Post by Pierrot » Sun Sep 08, 2019 2:45 pm

Thank you for this.
It's probably more work to fool social logins, so at least I hope it will be safer on this side.

juwlz
Posts: 19
Joined: Thu Jan 24, 2019 6:51 pm
Location: UK

Re: Setup

Post by juwlz » Sun Sep 08, 2019 10:58 pm

Sounds like a plan

User avatar
F43nd1r
Posts: 50
Joined: Thu Jan 24, 2019 1:20 pm

Re: Setup

Post by F43nd1r » Tue Jan 21, 2020 2:01 am

I've disapproved close to 200 spam posts today. All of them were so easy to recognize, so these are definetly bots.

@Pierrot would it be possible to update to phpBB 3.3? It includes support for "Invisible reCAPTCHA", which isn't broken yet (the currently active reCaptcha v2 is obviously not a barrier for bots anymore).

Post Reply