Requests for comment/Throttle edits made by all users
The following request for comments is closed. No consensus was achieved, the discussion didn't really go anywhere. Effeietsanders (talk) 06:40, 2 September 2018 (UTC)[reply]
I do not know if this was discussed in the past (my apologies if so), but I started a discussion at ptwiki questioning why we do not limit edits made by all users (yes, all users). Looking into InitialiseSettings.php I realized that we currently limit the number of edits made by newbies and IPs, but we allow users to made any number of edits, all at once.
I do not want to talk about the performance issues, since this is not my point here. My point is that, currently, we have tons of scripts and APIs (most of them in JavaScript, available as Gadgets) that can easily destroy everything in seconds.
Bots and users must ask permission to use external tools like Pywikibot, AWB, or Huggle. In most of them, they are also required to throttle their edits to avoid harm (and to allow us to easily block/revert when needed).
BUT I can write a JavaScript to edit thousands of pages at once. And that's ok, since their use are not limited by the software. In ptwiki, our rules limit bots to edit 6 pages per minute, but a user with Cat-a-lot script recently edited 216 pages at once.
Obviously these edits caused no harm, but one attacker can exploit this security hole to do a lot a harm. They can even use multiple zombie accounts to do this, and cause a mass of edits that would be very difficult to revert. If the account of a privileged user gets compromissed, the possibilities are even worse: they can mass block sysops, grant zombie users sysop permission and keep mass editing for a long time.
I suggested in ptwiki to set a limit of 60 edits every 10 minutes to all users. This limit is based on the limit set to bots on that wiki (=6 edits per minute). I am not suggesting to use this limit in all wikis, but I argue that a limit should exist to avoid the exploitation of this vulnerability and make big damages (even if this limit is very high, like 1000 edits per hour).
Most technician users in ptwiki (if not all) understood my argument and agreed with the proposed solution, but non-tech users are afraid of limiting their edit power. They argue that if Wikimedia and other wikis do not care to this problem, maybe it is unreal and we shouldn't care to it also. So this is mainly why I am here.
Best regards, --Diego Queiroz (talk) 02:03, 15 February 2017 (UTC)[reply]
Discussion
[edit]I'm not certain this is the correct place for this discussion, specially for the lack of participation thus far. Maybe Mediawiki or the wikitech mailing list will gather more traction.
On the merits, as I did in ptwiki, I fully Support an edit rate limit for all users. I think this is a very serious vulnerability to the community, as malicious scripts may make several hundred edits per minute and require a very difficult and laborious cleanup process. Chico Venancio (talk) 15:03, 28 February 2017 (UTC)[reply]