Conversation
kevinmcconnell
force-pushed
the
ip-ban
branch
from
39a9d2d to
7f89aa4
Compare
This adds the ability to ban a user by their IP address. When an admin is viewing a user profile, a new "Ban user" button is present. Clicking on that will: - Create a ban on the IP addresses that were tracked for that user's sessions - Remove all the messages authored by that user - Log the user out immediately In addition, that user will no longer be shown in most user lists in the app. They are still shown to admins, in account settings. Viewing their profile from there will now show a "Remove ban" button which can be used to restore their access (it doesn't restore their messages though -- those are already gone -- it just removes the blocks so they can log in again).
kevinmcconnell
force-pushed
the
ip-ban
branch
from
7f89aa4 to
30fe6ab
Compare
|
|
||
| private | ||
| def reject_banned_ip | ||
| head :too_many_requests if Ban.banned?(request.remote_ip) |
There was a problem hiding this comment.
Just curious, how come you went with too many requests?
There was a problem hiding this comment.
I was on the fence between that and 403. 429 felt a little more like "we're not accepting traffic from you right now", especially if we end up doing temporary bans. But I could easily be convinced that 403 is more appropriate. I think either one works.
|
Questions as I noticed all other features were closed:
|
|
@TyIsI yes, this banning feature is per-IP, as well as blocking the user account. If someone moves to another IP address they could sign up again as a different user. Preventing that would require a way to differentiate between the same (banned) person signing up a fresh account from a different IP, vs an unrelated signup. And agree, banning by IP can sometimes be quite a blunt tool. With shared IPs it's possible you would affect other people in the ban. But again, there's a limit to what you can control from within the app. This feature is meant to be a pragmatic option that you can reach for if someone is acting in an abusive or antisocial way. It gets the malicious user out of the chat immediately, and the IP ban makes it more work for them to keep signing up repeatedly (which is likely to deter many users in practice). But it does have edge cases and workarounds. We can always consider improvements to this, too. It doesn't have to be the final answer. But I think we do need a ban to be more than just disabling the user account for it to be effective. |
Add IP-based user banning Closes: #95
4 participants
This adds the ability to ban a user by their IP address.
When an admin is viewing a user profile, a new "Ban user" button is present. Clicking on that will:
In addition, that user will no longer be shown in most user lists in the app. They are still shown to admins, in account settings. Viewing their profile from there will now show a "Remove ban" button which can be used to restore their access (it doesn't restore their messages though -- those are already gone -- it just removes the blocks so they can log in again).
/cc @monorkin @jzimdars