Bug #25343
closedLimit Redmine API access for non-members
0%
Description
Today a spammer started using the API to create lots of issues here on Redmine. It was good, because it forced me to learn how to bulk delete :-)
Ideally, though, we would not allow non-members to post new issues via the API. I poked around in the Administration menus and didn't find such an option. Is there a plugin for it?
Updated by Nathan Cutler over 5 years ago
- Priority changed from High to Urgent
Raising priority since apparently the spammer is willing to cross the line over into DDoS territory.
Updated by David Galloway over 5 years ago
- Assignee set to David Galloway
So I can't limit access to the API by group. The attacker had bots creating accounts, verifying them, then creating bogus tickets via the API. Instead of preventing regular users from creating issues (which is what I would have had to do), I have blocked all POST requests to /issues
and rate limited POST requests to /account/register
I looked in server logs prior to yesterday's attack and don't see any valid POST requests to /issues which is where the API receives issue creation requests at.