New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow registered users to upload drafts for others #2390
Comments
@henrik@levkowetz.com commented Hi Martin, We have somewhere between 6000 and 10000 datatracker accounts which most likely does not belong to actual IETF participants. Even if we've added heuristics which makes nuisance account creation much harder after the bulk of these were created, we still have to assume that anyone who would like to do something annoying would be able to do so. I would hesitate to permit posting of new draft versions other than by one of the authors, without replacing that restriction with something else. One possibility would be to generate an API key per document, in lieu of the author email, and make the key visible to the authors on the draft page when logged in; and then tweak the current API to accept such a key. The presence of the key would permit a user to post a draft without being the author. Would that work for you? Or do you have other suggestions?
|
@mt@lowentropy.net commented That would be quite inconvenient. I'm only asking for parity with the web UI. Anyone (without even logging in) can post anyone else's draft. The nuisance factor is no worse here than today really. As the genuine draft author, it might be annoying to cancel a nuisance draft posting, but the way the system works means that you can only ever upload one replacement draft at a time anyway. So you get at most one nuisance revision per draft that you have. That doesn't seem like a big deal. |
@henrik@levkowetz.com commented There's a large difference in the ease of scripting the manual submission and the ease of scripting the API endpoint; and the automation API has already increased our vulnerability to malicious use. So yes, the potential nuisance factor is really greater than today. I'm not willing to increase that further. Please propose some other effective mitigation, if you find the per-draft API key proposal so inconvenient that it's not going to work in practice. |
@mt@lowentropy.net commented Is this based on real experience with denial of service or abuse? I spent some time trying to work out how to manage API keys. The best option I can think of involves storing a per-draft key in a file in the repository. That said, it would be more convenient for me to build a submission option that used the existing web forms than that. Acquiring the keys and populating the file would be more time-consuming. |
@henrik@levkowetz.com commented Replying to ietf-svn-conversion/datatracker#2390 (comment:4):
Automated account creation and wiki spam, yes. Both on tools.ietf.org and on ietf.org Abuse of the draft submission tool, no; and I don't want to have it happen. If you look at RFC4228 you'll find we took some care in limiting the attack possibilities of the tool when it was first proposed.
Ok, fair enough. Please let me know if you want me to go ahead with the API keys. |
@rjsparks@nostrum.com changed priority from |
@rjsparks@nostrum.com changed status from |
@rjsparks@nostrum.com changed resolution from `` to |
@rjsparks@nostrum.com commented For the act of submission (the creation of Submission objects) this is essentially #2639. I'm going to close this ticket as a duplicate. If that's not right, reopen it. |
resolution_duplicate
type_defect
| by mt@lowentropy.netThe current form submission process allows people to submit drafts for others. It just adds the following warning:
"Please note that since the database does not have your email address in the list of authors of previous revisions of the document, you are not receiving a confirmation email yourself; one of the addressees above will have to send a confirmation in order to complete the submission. This is done to avoid document hijacking. If none of the known previous authors will be able to confirm the submission, please contact the Secretariat for action."
The QUIC working group has a repository with multiple drafts. Synchronizing publication of those drafts is desirable, so a single person does this. The automated submission API rejects these uploads with a message such as:
"Validation Error: [u'Submitter martin.thomson@gmail.com is not one of the document authors']"
Now the email address isn't authenticated at this step, so it would be possible to spoof the email address of a legitimate author, but that is difficult and unnecessary. I would rather have the system allow the draft to be submitted.
I know that this might not be exactly what we discussed; we agreed that the submitter would be an author AND have an account, but it turns out that the author requirement is a real burden in practice.
Issue migrated from trac:2390 at 2022-03-04 05:59:00 +0000
The text was updated successfully, but these errors were encountered: