Page MenuHomePhabricator

Make $wgAccountCreationThrottle effective on SUL
Closed, ResolvedPublic

Description

Per T29172#295926 / T29172#295931, the limit $wgAccountCreationThrottle can be easily circumvented because of SUL.


Version: unspecified
Severity: normal
See Also:
T34234: Add a throttle to limit the rate at which non-autoconfirmed users can create additional accounts (bug 32234)

Details

Reference
bz41284

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 1:07 AM
bzimport set Reference to bz41284.
bzimport added a subscriber: Unknown Object (MLST).
He7d3r created this task.Oct 22 2012, 10:54 PM
He7d3r updated the task description. (Show Details)Dec 5 2014, 1:43 AM
He7d3r added a project: acl*security.
He7d3r set Security to None.
He7d3r added a subscriber: csteipp.Dec 5 2014, 1:55 AM

@He7d3r, are you seeing this abused? We could add a hook in SpecialUserlogin so CentralAuth could update the memcache key to make it global, although that seems a little extreme.

You could also make a global abuse filter rule to block accountcreate actions after a throttle is reached. That will at least limit the number of wikis that can be abused.

He7d3r added a comment.Dec 5 2014, 2:09 AM

I don't have data to confirm there is abuse (is there a way to know that?), but the uses as a workaround, described on T29172#295926, just exemplifies a procedure that can easily be used for that too.

KTC added a subscriber: KTC.Dec 13 2014, 9:56 PM
jayvdb added a subscriber: jayvdb.Jun 13 2015, 11:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 13 2015, 6:28 PM
Reedy added a subscriber: Reedy.Nov 20 2015, 6:05 PM

I don't have data to confirm there is abuse (is there a way to know that?), but the uses as a workaround, described on T29172#295926, just exemplifies a procedure that can easily be used for that too.

[17:55:37] <Nemo_bis> https://meta.wikimedia.org/wiki/Mass_account_creation is silly
[17:55:59] <Nemo_bis> The last time, I just told the first row of people to register on Wikipedia, the second in Wikiquote, and so on.
[17:56:13] <Nemo_bis> Up to 4800 attendees, no issue. :D

Bawolff closed this task as Resolved.Mar 10 2016, 9:08 PM
Bawolff claimed this task.
Bawolff added a subscriber: Bawolff.

This was fixed by 09c00438a641

Restricted Application added subscribers: Malyacko, JEumerus. · View Herald TranscriptMar 10 2016, 9:08 PM

So, assuming this fix will remove the workaround people were using for events with many account creations from a single IP, what is the recommended procedure nowadays for such cases?

File a request a couple days (preferably 1 week) prior to the event askung for the throttle to be lifted (include ip of event and roughly how many people are at event)

Also, i dont think rate limits apply to admins, so one admin could create accounts for other people, if there is an admin in attendence.