Bug #25343
closed
Limit Redmine API access for non-members
Added by Nathan Cutler almost 6 years ago.
Updated over 3 years ago.
Description
Today a spammer started using the API to create lots of issues here on Redmine. It was good, because it forced me to learn how to bulk delete :-)
Ideally, though, we would not allow non-members to post new issues via the API. I poked around in the Administration menus and didn't find such an option. Is there a plugin for it?
- Description updated (diff)
- Priority changed from High to Urgent
Raising priority since apparently the spammer is willing to cross the line over into DDoS territory.
- Assignee set to David Galloway
So I can't limit access to the API by group. The attacker had bots creating accounts, verifying them, then creating bogus tickets via the API. Instead of preventing regular users from creating issues (which is what I would have had to do), I have blocked all POST requests to /issues and rate limited POST requests to /account/register
I looked in server logs prior to yesterday's attack and don't see any valid POST requests to /issues which is where the API receives issue creation requests at.
- Status changed from New to Resolved
Also available in: Atom
PDF