Vanilla 2.0.x - One way spammers manage to post to Activity
businessdad
MVP
We launched our site last month and, as expected, we got a couple of spammers on board. They could not do much "damage", since we require email confirmation and they never confirmed it, but they immediately started posting on their own activity. To stop them, I put together a solution in our main application, as follows:
- Added a new Garden.Activity.Add permission programmatically (I wanted it to be separated from Profile.edit to have more granularity).
- Implemented a request filter, so that every request could be inspected and the new permission check be enforced on it.
- I did not give the permission to post on Activity to anyone, but Administrator (we don't want our members to use it, anyway).
We put the solution in place and, although we saw a reduced amount of spam, we found out that spam activities were still coming in. I reviewed the web server logs, and I found out something unexpected: there are two ways for spammers to post on Activity.
1. ProfileController::Activity()
This method goes through the ProfileController, which does the following (code reformatted to add comments):
public function Activity($UserReference = '', $Username = '', $UserID = '', $Offset = '0') {
$this->Permission('Garden.Profiles.View');
// [Rendering stuff...]
$Comment = $this->Form->GetFormValue('Comment');
// Check that session is valid
if ($Session->UserID > 0 &&
// Check that postback is authenticated
$this->Form->AuthenticatedPostBack() &&
// Check that comment is not empty
!StringIsNullOrEmpty($Comment) &&
// Check that user has Garden.Profiles.Edit permission. Role "Confirm email" does NOT have it
CheckPermission('Garden.Profiles.Edit')) {
// Active user has submitted a valid comment, let's go ahead
$Comment = substr($Comment, 0, 1000); // Limit to 1000 characters...
// Further processing
2. ActivityController[::Index()]
This method goes straight to the ActivityController and does a much looser check:
public function Index($RoleID = '', $Offset = FALSE) {
$this->Permission('Garden.Activity.View');
// [Rendering stuff...]
// Comment submission
$Session = Gdn::Session();
$Comment = $this->Form->GetFormValue('Comment');
$this->CommentData = FALSE;
// Check that session is valid
if ($Session->UserID > 0 &&
// Check that postback is authenticated
$this->Form->AuthenticatedPostBack() &&
// Check that comment is not empty
!StringIsNullOrEmpty($Comment)) {
// Active user has submitted a valid comment, let's go ahead
$Comment = substr($Comment, 0, 1000); // Limit to 1000 characters...
The check on Garden.Profiles.Edit is not there in ActivityController, thus practically any logged in user can post to the Activity, unless the Garden.Activity.View is removed from their role. Since it's not intuitive that a "View" permission could grant posting rights, spammers can get through before one can realise what's going on.
Solution
To solve the issue, we extended or request pre-processor to cover ActivityController as well and check that proper permissions are in place, but it would be good to strengthen the validation in the core. I can post this suggestions to Github too, if the team reckons it may be useful.
Comments
I think you should post it to GitHub any way. Even if the team will release a 2.0.18.11 it might not happen very soon and if your proposal is on GitHub, every admin of a Vanilla installation can benefit from your findings immediately.
I wish this was a standard option, thank you for posting. I've searched the discussions and i've found little about this topic. Our board in inundated daily with spammers on the activity feed. I've tried all of the different registration methods and it persists (it's still not clear to me why they are able to post).
There isn't a plugin to manage this, right? Or even just disable the activity feed?
This is an aside from businessdad's excellent solution with more granularity. So you could make the changes he suggests or with lesser granularity you can do the following.
@JamieD
to digress from businessdad's solution and to provide you an answer to your question.
if you want applicants and users in confirm role not to spam the activity board.
for applicant role and confirm email role....
you can restrict the permissions so they only have
signin allow. and
profiles view, and
discussions view.
nothing else checked.
thats all they get and they won't be able to post on activity.
unfortunately if profile edit is checked - users can share and post on activity wall.
but if profile edit is not checked they cannot edit their profile (which is unnecessary for confirm email role or applicant (because they are not approved).
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
As @peregrine mentioned, there isn't such a plugin. I'm developing one to take care of this issue, as well as perform automatic Activity cleaning based on specific filters, but it's on a low priority at the moment. In the meantime, here's an excerpt from our code, illustrating the solution we used.
Note: the code below has been extracted from more complex classes and it has not been tested. Therefore, it may require adjustments to work.
1. Register a new permission
In a custom plugin, or application, add the following:
$PluginInfo['YourPlugin'] = array( 'Name' => 'YourPlugin', 'Description' => 'Something something something dark sided.', 'Version' => '1.2.3.4', // I'm not British, I just like the song 'Author' => 'William, William, Henry, Stephen, Henry, Richard, John, oi!', 'AuthorEmail' => 'monarchs@britain.co.uk', 'RegisterPermissions' => array( // Permission to allow users to post activity 'Garden.Activity.Add', ), );This will add the
Garden.Activity.Addpermission when the plugin is enabled.2. Intercept events before they are dispatched
/** * Intercepts requests before they are dispatched to the controller. This * allows to alter them, if needed. * * @param Gdn_Dispatcher Sender * @param array EventArgs The event arguments. */ public function Base_AfterAnalyzeRequest_Handler($Sender, $EventArgs) { $this->ValidateActivityPost($Sender, $EventArgs); }3. Validate the operation
/** * Validates data posted to activity, to ensure that only users with proper * permissions can post comments. * * @param Gdn_Dispatcher Sender * @param array EventArgs An array of arguments. */ protected function ValidateActivityPost($Sender, $EventArgs) { $Controller = $EventArgs['Controller']; $ActivityComment = trim($Controller->Form->GetFormValue('Comment')); // If User is trying to post an activity and he doesn't have the permission // to do so, simply delete the activity, so that Vanilla will ignore the post if(!CheckPermission('Garden.Activity.Add')) { // The Logger is a custom plugin we developed, available in the Addons //$this->Log()->trace(T('Permission denied, comment cleared.')); // Empty the comment. Vanilla ignores empty comments by default $Controller->Form->SetFormValue('Comment', ''); } else { // Just log that the user has the permission to post. Useful for debugging. //$this->Log()->trace(T('Permission granted.')); } }4. Assign correct permissions
By default, the SuperAdmin will be able to post Activity no matter what, while anyone else will not. If you wish some roles to be able to post on activity "wall", just tick the
Garden.Activity.Addpermission.5. Optional, but recommended
Add the "post activity" form for users who don't have the proper permission.
6. Send @peregrine and me a crate of beer for the consultancy (HIGHLY recommended)
My shop | About Me
.oO(Sometimes I wish I could click on all reactions at the same time)
Thank you, this is invaluable information! What kind of beer?
you can send the entire beer donation to @businessdad - perhaps guiness
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Belgian abbey beer, thanks.
My shop | About Me