What can I do to moderate the user topics of newly registered users?

Problem

When a Foswiki installation is publicly accessible from the internet, and you need to allow registrations, this inevitably attracts spammers. Even if you restrict permissions so that newly registered users cannot change or add any content, they can still use the fields provided in the UserRegistration form to create keyword/link spam or, on Foswiki versions 1.1.4 and earlier, malicious HTML/script code (see Support.SecurityAlert-CVE-2012-1004).

Context

The default user registration mechanism is in use, and it is set up to allow registrations. Additionally, the installation is public, and public registrations need to be supported.

Solution

Prevent the user registration process from creating a reward for the spammer: restrict VIEW access on new user topics, so that search engines do not index the content, and prevent innocent clicks to the user topic from potentially exposing them to malicious script (but do ensure your Foswiki installation is up-to-date).

Customize your existing System.NewUserTemplate by copying it to Main.NewUserTemplate, and add something like the following:

---++ Temporary restrictions
This user ([[%WIKIUSERNAME%][%WIKINAME%]]) needs to be added to a [[WikiGroups][WikiGroup]], then the following restrictions should be removed by somebody from the Main.ModeratorGroup:
   * Set ALLOWTOPICVIEW = Main.ModeratorGroup, %WIKIUSERNAME%
   * Set ALLOWTOPICCHANGE = Main.ModeratorGroup

Known Uses

http://wiki.trin.org.au

Known Limitations

Removing bogus/spammer user topics needs to be coordinated with removal of the corresponding username/pass/email lines from the .htpasswd file (if using the default HtPasswdUser password manager).

See Also

• Support.Faq12 - How to manually approve registrations
• Tasks.Item11501
• Support.SecurityAlert-CVE-2012-1004
• FaqSecureFoswikiAgainstAttacks