Project

General

Profile

Actions
Copy link

Bug #25343

closed

Limit Redmine API access for non-members

Added by Nathan Cutler over 5 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
David Galloway
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Crash signature (v1):
Crash signature (v2):

Description

Today a spammer started using the API to create lots of issues here on Redmine. It was good, because it forced me to learn how to bulk delete :-)

Ideally, though, we would not allow non-members to post new issues via the API. I poked around in the Administration menus and didn't find such an option. Is there a plugin for it?

Actions
Copy link
 #1

Updated by Nathan Cutler over 5 years ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Nathan Cutler over 5 years ago

  • Priority changed from High to Urgent

Raising priority since apparently the spammer is willing to cross the line over into DDoS territory.

Actions
Copy link
 #3

Updated by David Galloway over 5 years ago

  • Assignee set to David Galloway

So I can't limit access to the API by group. The attacker had bots creating accounts, verifying them, then creating bogus tickets via the API. Instead of preventing regular users from creating issues (which is what I would have had to do), I have blocked all POST requests to /issues and rate limited POST requests to /account/register

I looked in server logs prior to yesterday's attack and don't see any valid POST requests to /issues which is where the API receives issue creation requests at.

Actions
Copy link
 #4

Updated by David Galloway over 3 years ago

  • Status changed from New to Resolved
Actions
Copy link

Also available in: Atom PDF