Forum update [was: the forum is flooded by Spam. What can I do ?]

Great job, Lambertus :slight_smile:

one minor problem: Clicking on a link in a post does not open a new page like before.

Regards

walter

I am using number of features in my squid - proxy server - to enhance anonymity a little bit

reply_header_access Via deny all
reply_header_access X-Forwarded-For deny all
reply_header_access From deny all
reply_header_access Server deny all
reply_header_access WWW-Authenticate deny all
reply_header_access Link deny all
reply_header_access X-Cache-Lookup deny all
reply_header_access X-Squid-Error deny all
reply_header_access X-Cache deny all
reply_header_access Referer deny all
reply_header_access User-Agent deny all

So far I have had no problems using any of these features on any of the web pages I use until upgrade of this very forum. Now using “reply_header_access Referer deny all” returns following error while posting:

Bad HTTP_REFERER. You were referred to this page from an unauthorized source. If the problem persists please make sure that ‘Base URL’ is correctly set in Admin/Options and that you are visiting the forum by navigating to that URL. More information regarding the referrer check can be found in the FluxBB documentation.

I have disabled that line in squid to post this message, but i would hate it to be the last post as I am not going to turn it of just for one forum, sorry. Besides does that enhance security of the forum anyway?

I have Refcontrol as a Firefox Plugin for years, never had a problem with it until now! Setting is “forge”, it sends the root of site (e.g. forum.openstreetmap.org). Same problem “HTTP_REFERER”. Workaround is to add an exception, but is this security feature really neccessary?

https://addons.mozilla.org/en-US/firefox/addon/refcontrol/

Does choosing one of the other styles (via your Profile page) help?

Yes, that’s one of the modifications I need to re-apply.
Edit: Should be fixed now

Re: Bad HTTP_REFERER
This seems to be a design flaw in FluxBB. I’m not a security expert, so I hope someone more knowledgeable can say if this modification would help? I.e changing from checking a token instead of the HTTP_REFERER?

Failing test post with Refcontrol on:
Referer header of POST request is: “http://forum.openstreetmap.org/

Successful test post with Refcontrol off:
Referer header of POST request is: “http://forum.openstreetmap.org/post.php?action=post&tid=36900

I see that this is a quite crude security measure by FluxBB, the patch might help here if it applies cleanly. If there is no other easy solution I can life with adding an exception in Refcontrol

Post moderation is implemented now. Existing users should have no trouble posting anywhere, but there are several options at various places so it might need some tinkering to get all settings correct. Please report problems if you encounter one.

@Lambertus - thanks for all your efforts (and to the moderators too). Hope you get some sleep now :slight_smile:

You’re welcome.

Now, in order of importancy, the following mods:

  • OSM API authentication so that new users can enter the forum (new registrations are disabled for now) → Finished.
  • fix the ‘bad referrer’ problem by implementing a CSRF synchronizer token pattern. Thanks Jojo4u for the feedback.
  • Easy BBCode & quick quote

When editing/creating messages, I don’t see the handy buttons to format my text. BBCode is on.

This is probably because of a not yet re-applied mod. (other thread)

Actually I like the “new” way. While it is easy to open a link in a new window or tab (with shift+click or ctrl+click) the user cannot decide to open it in the same tab if it is forced by the software.

edit: https://css-tricks.com/use-target_blank/

Thanks for the forum upgrade. Continuously deleting Spam messages and getting flooded with even more reports was pretty annoying.

The new premoderation seems to work pretty well. I don’t know whether it is intended as a feature, but I like that I can approve posts for parts of the forum that I do not have moderation rights for. It speeds up processing and as long as the mod can understand the language of the post, he can easily tell whether it is SPAM.

bye, Nop

The modification simply doesn’t take into account the forum rights of each moderator. But as it happens, I quite like that behaviour as well.

I often check in to approve a post as I get mails from the moderation queue (if you want to get those mails too, just let me know), just to find out someone already approved/deleted it. Thanks! :slight_smile:

I also would like to have them back.

No thanks, I get enough mails as it is. :slight_smile:

Just a tiny request: Is it possible to add a favicon to the forum so it is easier to spot in the browser tabs.

bye, Nop

Just reporting:

One day this forum is visible, the next day it’s gone, then it pops up again only to disappear into outer space…

Or do you have to log in to see this forum?

Edit:
Checked it out: That is indeed the case! Weird behaviour I must say. All the others are always visible, no matter if you logged in or not…

How exactly does the pre-moderation work?

  • how many posts do we have to approve before a user is allowed to post unmoderated?
  • are there any consequences if the mod decides to delete the post?

I just had a case where a user has posted twice - obviously unaware that it takes mod interaction. I approved the first but had to delete the second, obviously.

bye, Nop

Llambertus, het Quoten gaat anders dan eerst. Nu zie je een quote met de naam van de auteur maar kun je de quote tekst niet meer in plakken tussen de haakjes en het menu lijkt gewijzigd, kan dat ?
The Quoting menu has changed. The quote gets filled with the name of the autor, but it seems not logic to stick the quote inside it, the menu seems to be changed intended ?

Those will be back.

Yes, I’ll add one. Is the favicon from the main OSM website good enough?

That is correct. I reasoned it is not important to have the ‘feedback’ forum visible for non-forum users.

New users are allocated to the ‘new members’ group, this group is moderated and has fewer privileges/functions on the forum. After two approved posts those users are automatically promoted to the (full) ‘member’ group, which is not moderated and has more privileges/functions (e.g. email).

If I recall correctly, new members are notified that their posts are moderated.

Yes, this is part of the EasyBB mod which I still need to re-apply.

me too.