[aur-dev] cookies + suspended account
Hello, I have been having to deal with some idiot who is pissed off in the aur for some reason. He keeps marking all my packages out of date. And somehow he is able to continually do this even after I have suspended his account. I am not sure if this is because of the cookie still working and him still being logged in. Would it be possible to add captchas to flag packages out of date, or to make it so that suspending an account kills the cookie? https://aur.archlinux.org/account/YyTe/ https://aur.archlinux.org/account/293oHrnk/ https://aur.archlinux.org/account/iou https://aur.archlinux.org/account/b2qLe1Np/ Thanks, -- Daniel Wallace Archlinux Trusted User (gtmanfred) Georgia Institute of Technology
On Tue, Feb 26, 2013 at 02:20:18PM -0500, Daniel Wallace wrote:
Hello, I have been having to deal with some idiot who is pissed off in the aur for some reason. He keeps marking all my packages out of date. And somehow he is able to continually do this even after I have suspended his account. I am not sure if this is because of the cookie still working and him still being logged in.
Would it be possible to add captchas to flag packages out of date, or to make it so that suspending an account kills the cookie?
I actually like the idea of a captcha for the Out of Date flag. Would also prevent people from accidentally marking things as non-maintainers cannot mark them un-out of date. -- William Giokas | KaiSforza GnuPG Key: 0x73CD09CF Fingerprint: F73F 50EF BBE2 9846 8306 E6B8 6902 06D8 73CD 09CF
On Tue, 26 Feb 2013 13:29:21 -0600, William Giokas <1007380@gmail.com> wrote:
On Tue, Feb 26, 2013 at 02:20:18PM -0500, Daniel Wallace wrote:
Hello, I have been having to deal with some idiot who is pissed off in the aur for some reason. He keeps marking all my packages out of date. And somehow he is able to continually do this even after I have suspended his account. I am not sure if this is because of the cookie still working and him still being logged in.
Would it be possible to add captchas to flag packages out of date, or to make it so that suspending an account kills the cookie?
I actually like the idea of a captcha for the Out of Date flag. Would also prevent people from accidentally marking things as non-maintainers cannot mark them un-out of date.
-- William Giokas | KaiSforza GnuPG Key: 0x73CD09CF Fingerprint: F73F 50EF BBE2 9846 8306 E6B8 6902 06D8 73CD 09CF
Great idea. I hate entering captchas just as much as the next guy but seeing all my packages have been flagged out of date as well. I'm all for it. -- Federico Cinelli <cinelli.federico@gmail.com> Arch Linux Trusted User (cinelli) GnuPG Key: 0xC6C11350 "Stay true."
Captchas can be tiresome. How about letting package maintainers "power-unflag" packages instead, so that it cannot be flagged again by the same people, until the next package+version upgrade. -- Sincerely, Alexander Rødseth xyproto / TU
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 26/02/13 16:20, Daniel Wallace wrote:
Hello, I have been having to deal with some idiot who is pissed off in the aur for some reason. He keeps marking all my packages out of date. And somehow he is able to continually do this even after I have suspended his account. I am not sure if this is because of the cookie still working and him still being logged in.
Would it be possible to add captchas to flag packages out of date, or to make it so that suspending an account kills the cookie?
https://aur.archlinux.org/account/YyTe/ https://aur.archlinux.org/account/293oHrnk/ https://aur.archlinux.org/account/iou https://aur.archlinux.org/account/b2qLe1Np/
Thanks,
For solving the problem right now -quick and dirty-, we just have to add a validation (tsk tsk anyone who wants to sum contributions can code this silly patch), if the user is suspended don't let him flag the package and actually redirect him to the logout page (to kill those cookies). Then again, we must re-think how to handle this issue better, is horrible to repeat that validation everywhere. Don't we have a magic function/class which we should invoke for checking permissions on every interaction with the user? -long time without checking the aur code-. Cheers. - -- Be a local everywhere! Angel Velasquez CTO/Co-Founder @ citibuddies Arch Linux Developer @citibuddies @angvp #citibuddies http://www.citibuddies.com http://www.angvp.com.ar -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRLiEqAAoJEEKh2xXsEzutq3IH/jviDOZJhmy9aZoSqzqe27vZ yGNropWpdSNH6WW3NF1FWFeXFBWKG7crQP77hOvVshbWJRvMJpVbDM6236boPa1r wTwFofHBo6/+T7j0KUm6GdG21B5kHxh8pNFTUzg3GZn8d0QkFnCtr3X9IB+l/VTM KP8Wc6uiIFI6CwQLAEmYueSwD6uJAMLKK0sxDW1rSxBBKExbImnGBjSSN11grtL7 E9Cj/QlphlTZAWTs054LyJbQSRm0uu8IT363long2pbWYLxnONqNzKyWJcxiyX0R CHaGl/28MQfyiYpGFb153qAR7Qp0rZfsGM2lOANweSJYIW/XHVdE1Mgn7yXpXtk= =6Bnl -----END PGP SIGNATURE-----
Hi, 2013/2/27 Angel Velásquez <angvp@archlinux.org>:
For solving the problem right now -quick and dirty-, we just have to add a validation (tsk tsk anyone who wants to sum contributions can code this silly patch), if the user is suspended don't let him flag the package and actually redirect him to the logout page (to kill those cookies).
Wouldn't he/she/they be able to just register more accounts and continue flagging packages this way? - Alexander
On Wed, 27 Feb 2013 23:26:11 +0100, Alexander Rødseth <rodseth@gmail.com> wrote:
Hi,
2013/2/27 Angel Velásquez <angvp@archlinux.org>:
For solving the problem right now -quick and dirty-, we just have to add a validation (tsk tsk anyone who wants to sum contributions can code this silly patch), if the user is suspended don't let him flag the package and actually redirect him to the logout page (to kill those cookies).
Wouldn't he/she/they be able to just register more accounts and continue flagging packages this way?
- Alexander So everyone know's I've renamed this mystery person... the AUR-Bandit (in my mind)
Adding to, what Alexander had mentioned, No matter what we do about the AUR-Bandit. They (refering to any future AUR-Bandits out there as an entity) find away around it. If not to do something silly/annoying, like flag all of mine / gtmanfred's / whoever-elses aur packages out of date, then just to say that they did. I don't know, maybe I just have little faith on people being nice. I mean it's the way it's always been I guess. -First you had to just hit <enter> -Then you had a click a box before you hit <enter> -Then you had to click a box and make sure you scrolled through the entire bs -they wanted you to read and hit <enter> -Then came e-mail comfirmation -Then captcha's -Next you will have to do a forward roll, the macarena, turn the lightswitch on/off 33 times, answer security question that asks: "What is your great-great-great Aunt's best friend's, first stuffed animal called?" (and no hints) /o\... I think you see what I'm getting at. -- Federico Cinelli <cinelli.federico@gmail.com> Arch Linux Trusted User (cinelli) GnuPG Key: 0xC6C11350 "Stay true."
On Wed, Feb 27, 2013, at 08:33 PM, Federico Cinelli wrote:
On Wed, 27 Feb 2013 23:26:11 +0100, Alexander Rødseth <rodseth@gmail.com> wrote:
Hi,
2013/2/27 Angel Velásquez <angvp@archlinux.org>:
For solving the problem right now -quick and dirty-, we just have to add a validation (tsk tsk anyone who wants to sum contributions can code this silly patch), if the user is suspended don't let him flag the package and actually redirect him to the logout page (to kill those cookies).
Wouldn't he/she/they be able to just register more accounts and continue flagging packages this way?
- Alexander So everyone know's I've renamed this mystery person... the AUR-Bandit (in my mind)
Adding to, what Alexander had mentioned, No matter what we do about the AUR-Bandit. They (refering to any future AUR-Bandits out there as an entity) find away around it. If not to do something silly/annoying, like flag all of mine / gtmanfred's / whoever-elses aur packages out of date, then just to say that they did. I don't know, maybe I just have little faith on people being nice.
I mean it's the way it's always been I guess. -First you had to just hit <enter> -Then you had a click a box before you hit <enter> -Then you had to click a box and make sure you scrolled through the entire bs -they wanted you to read and hit <enter> -Then came e-mail comfirmation -Then captcha's -Next you will have to do a forward roll, the macarena, turn the lightswitch on/off 33 times, answer security question that asks: "What is your great-great-great Aunt's best friend's, first stuffed animal called?" (and no hints) /o\...
I think you see what I'm getting at.
-- Federico Cinelli <cinelli.federico@gmail.com> Arch Linux Trusted User (cinelli) GnuPG Key: 0xC6C11350 "Stay true." Email had 1 attachment: + Attachment2 1k (application/pgp-signature)
I would suggest rate-limiting flaggings by IP and account, and then flagging those accounts in the database for review. That may be killing a fly with a shotgun, but stil... -- Neer Sighted, Hacker http://neersighted.com | neersighted@myopera.com {01DC2056}
On Wed, Feb 27, 2013 at 5:26 PM, Alexander Rødseth <rodseth@gmail.com> wrote:
Hi,
2013/2/27 Angel Velásquez <angvp@archlinux.org>:
For solving the problem right now -quick and dirty-, we just have to add a validation (tsk tsk anyone who wants to sum contributions can code this silly patch), if the user is suspended don't let him flag the package and actually redirect him to the logout page (to kill those cookies).
Wouldn't he/she/they be able to just register more accounts and continue flagging packages this way?
Yes, a malicious user would be able to evade suspension by registering new accounts. In my opinion, those situations call for IP banning.
On Tue, Feb 26, 2013 at 8:20 PM, Daniel Wallace <danielwallace@gtmanfred.com
wrote:
Hello, I have been having to deal with some idiot who is pissed off in the aur for some reason. He keeps marking all my packages out of date. And somehow he is able to continually do this even after I have suspended his account. I am not sure if this is because of the cookie still working and him still being logged in.
Would it be possible to add captchas to flag packages out of date, or to make it so that suspending an account kills the cookie?
Maybe I missed something... I want to get back to the fact, that the user could flag packages after he was suspended. In January, canyonknight committed a patch for this specific problem[1]: "A suspended user can stay in active sessions. Introduce new function delete_user_sessions to remove all open sessions for a specific user. Allows suspensions to take effect immediately." I tested this locally and I can confirm that the suspended user was immediately logged out. Maybe you should file a bug report and we should do some tests here? -- I don't like captchas. What if the time you have to wait between flagging packages will be doubled from package to package? If you stop flagging for one hour (or so), the timer will be resetted. Most of you may know this from password fields. It prevents huge spamming and gets really annoying when you want to flag many many packages. It shoudn't be hard to wait a few seconds if you want to flag just a few. Alex //gridcol [1] https://projects.archlinux.org/aur.git/commit/web?id=150b0f9f0a5174e72a27469...
On Thu, Feb 28, 2013 at 6:30 PM, Alexander Griesbaum <agrsbm@gmail.com> wrote:
On Tue, Feb 26, 2013 at 8:20 PM, Daniel Wallace <danielwallace@gtmanfred.com
wrote:
Hello, I have been having to deal with some idiot who is pissed off in the aur for some reason. He keeps marking all my packages out of date. And somehow he is able to continually do this even after I have suspended his account. I am not sure if this is because of the cookie still working and him still being logged in.
Would it be possible to add captchas to flag packages out of date, or to make it so that suspending an account kills the cookie?
Maybe I missed something... I want to get back to the fact, that the user could flag packages after he was suspended. In January, canyonknight committed a patch for this specific problem[1]: "A suspended user can stay in active sessions. Introduce new function delete_user_sessions to remove all open sessions for a specific user. Allows suspensions to take effect immediately."
Yes, that patch should immediately suspend a user account. There hasn't been a new AUR release since that was committed, so I don't believe it was applied to the official AUR setup.
I tested this locally and I can confirm that the suspended user was immediately logged out. Maybe you should file a bug report and we should do some tests here?
Thanks for confirming that my patch works! Regards, Jason
On Fri, Mar 1, 2013 at 2:37 AM, canyonknight <canyonknight@gmail.com> wrote:
On Thu, Feb 28, 2013 at 6:30 PM, Alexander Griesbaum <agrsbm@gmail.com> wrote:
On Tue, Feb 26, 2013 at 8:20 PM, Daniel Wallace < danielwallace@gtmanfred.com
wrote:
Hello, I have been having to deal with some idiot who is pissed off in the aur for some reason. He keeps marking all my packages out of date. And somehow he is able to continually do this even after I have suspended his account. I am not sure if this is because of the cookie still working and him still being logged in.
Would it be possible to add captchas to flag packages out of date, or to make it so that suspending an account kills the cookie?
Maybe I missed something... I want to get back to the fact, that the user could flag packages after he was suspended. In January, canyonknight committed a patch for this specific problem[1]: "A suspended user can stay in active sessions. Introduce new function delete_user_sessions to remove all open sessions for a specific user. Allows suspensions to take effect immediately."
Yes, that patch should immediately suspend a user account. There hasn't been a new AUR release since that was committed, so I don't believe it was applied to the official AUR setup.
Ah you're right, didn't check that. So THIS issue will be solved with the next release I guess.
Thanks for confirming that my patch works!
You're welcome. -- IP banning sounds nice, but is this often needed? I don't know how many spammers are there in a month/ a year. Perhaps it would measure up the needs if one make flagging many packages in a very short time as hard as possible and have the possibility to roll back user actions easily. I don't know if this whole thing of abusing rights is a huge problem at all, I'm new to this.
On 01/03/13 09:40, Alexander Griesbaum wrote:
On Fri, Mar 1, 2013 at 2:37 AM, canyonknight <canyonknight@gmail.com> wrote:
On Thu, Feb 28, 2013 at 6:30 PM, Alexander Griesbaum <agrsbm@gmail.com> wrote:
On Tue, Feb 26, 2013 at 8:20 PM, Daniel Wallace < danielwallace@gtmanfred.com
wrote:
Hello, I have been having to deal with some idiot who is pissed off in the aur for some reason. He keeps marking all my packages out of date. And somehow he is able to continually do this even after I have suspended his account. I am not sure if this is because of the cookie still working and him still being logged in.
Would it be possible to add captchas to flag packages out of date, or to make it so that suspending an account kills the cookie?
Maybe I missed something... I want to get back to the fact, that the user could flag packages after he was suspended. In January, canyonknight committed a patch for this specific problem[1]: "A suspended user can stay in active sessions. Introduce new function delete_user_sessions to remove all open sessions for a specific user. Allows suspensions to take effect immediately."
Yes, that patch should immediately suspend a user account. There hasn't been a new AUR release since that was committed, so I don't believe it was applied to the official AUR setup.
Ah you're right, didn't check that. So THIS issue will be solved with the next release I guess.
Thanks for confirming that my patch works!
You're welcome. --
IP banning sounds nice, but is this often needed? I don't know how many spammers are there in a month/ a year. Perhaps it would measure up the needs if one make flagging many packages in a very short time as hard as possible and have the possibility to roll back user actions easily. I don't know if this whole thing of abusing rights is a huge problem at all, I'm new to this.
IP banning won't work with TOR.
participants (9)
-
Alexander Griesbaum
-
Alexander Rødseth
-
Angel Velásquez
-
canyonknight
-
Daniel Wallace
-
Federico Cinelli
-
Jelle van der Waa
-
Neer Sighted
-
William Giokas