Improve Codeberg Administration tools #442

Open
opened 7 months ago by fnetX · 3 comments
fnetX commented 7 months ago
Collaborator

Codeberg is growing every day and we're proud more and more people are using our service every day to create awesome open source projects.

But with increasing absolute use, there is also an increase in abuse and while our current moderation workflow is still okayish, we will have to look into better toolchains soon.

One part is the spam and abuse reporting, also see #424 for that, which involves a dashboard built into Gitea. We should also take some steps further for easier administration - it can be discussed whether these changes should also go into Gitea or if we want to build a custom dashboard.

The current situation is that we have some admin scripts that interface with the Gitea API and allow us to do certain tasks. These are a bit hacky but work - but they are not really convenient for doing simple tasks like removing a single repo ...

My idea was to create a standalone service that allows to do the jobs of our admin scripts with a nicer frontend. I thought not to have a fine-grained user management there, but rather a box in the frontend where you'd enter your Gitea API key and the script re-uses this in the backend for your requests. We might want to use this API key to derive the user and do further checking of certain actions later (like sending automated emails, fetching private repos and so on).

We could also see if we can integrate everything into Gitea, but I'm sure we'll face jobs that are not necessary for the majority of instances (like interfacing with specific scanners for missing licences or malicious pages repos etc). And our solution could be used by other people running Gitea easily if we mostly re-use the API. Different opinions?

I could imagine doing some work into this if someone joins, too. @momar are you interested in doing some front-end work? I think you have some experience in this? @n you provided some helper scripts earlier? Are you interested in building this, too?

Codeberg is growing every day and we're proud more and more people are using our service every day to create awesome open source projects. But with increasing absolute use, there is also an increase in **ab**use and while our current moderation workflow is still okayish, we will have to look into better toolchains soon. One part is the spam and abuse reporting, also see #424 for that, which involves a dashboard built into Gitea. We should also take some steps further for easier administration - it can be discussed whether these changes should also go into Gitea or if we want to build a custom dashboard. **The current situation** is that we have some admin scripts that interface with the Gitea API and allow us to do certain tasks. These are a bit hacky but work - but they are not really convenient for doing simple tasks like removing a single repo ... **My idea** was to create a standalone service that allows to do the jobs of our admin scripts with a nicer frontend. I thought not to have a fine-grained user management there, but rather a box in the frontend where you'd enter your Gitea API key and the script re-uses this in the backend for your requests. We might want to use this API key to derive the user and do further checking of certain actions later (like sending automated emails, fetching private repos and so on). We could also see if we can integrate everything into Gitea, but I'm sure we'll face jobs that are not necessary for the majority of instances (like interfacing with specific scanners for missing licences or malicious pages repos etc). And our solution could be used by other people running Gitea easily if we mostly re-use the API. Different opinions? I could imagine doing some work into this if someone joins, too. @momar are you interested in doing some front-end work? I think you have some experience in this? @n you provided some helper scripts earlier? Are you interested in building this, too?
fnetX added the
enhancement
contribution welcome
labels 7 months ago
fnetX added this to the Summer 2021 (obsolete, lol) milestone 7 months ago
Collaborator

for backend things you can @ping me too - but I'm realy not good at frontend ...

for backend things you can @ping me too - but I'm realy not good at frontend ...
n commented 7 months ago
Collaborator

I don't have a lot of time at the moment but I'd still like to contribute when I can.

I don't have a lot of time at the moment but I'd still like to contribute when I can.
Poster
Collaborator

Okay, thank you both.

I'll just share a first braindump of what's necessary or nice-to-have

  • internal search of repos
    • with checkboxes to easily add them for some action
    • maybe with filtering (like list all big repos, list only private repos etc)
  • expand a list of repos to also include all it's forks
  • maybe a search to find similar repos (like similar files or a shared git history for unreal forks)
  • quarantine a list of repos (basically: lock, rename and move to another org)
  • send a mail to users after quarantine
  • select repos to issue a warning mail (e. g. enourmous resource usage in private repos, no licence etc)
  • list quarantined repos, select them to
    • delete them
    • move them back to the original owner
  • allow to mark users for removal for multiple reasons, e.g. spam / scam accounts
    • ideally hide them
    • send explanation mail to user, maybe give them a configurable grace-time to appeal
    • auto-remove uers after
  • dashboard of user reports, either from Gitea or the software might also add this on it's own? Not sure ... (we could easily change the templates to have a report link on every page that reports something with this tool, but a Gitea-native feature would be much better)
  • ideally replace content with a descriptive message? (e. g. for the current quarantined pages, I would have liked to serve a warning alike "This page was part of a malware campaign and has been locked by Codeberg" to warn people that eventually clicked a bad link somewhere not to do this again ...)
  • maybe some transparent dashboard which actions have been taken and why (visible to Codeberg users or members)
  • internally save a history of actions for review
  • list users and which action has already been taken
  • select and disable user accounts (maybe from the previous user/action list)
Okay, thank you both. I'll just share a first braindump of what's necessary or nice-to-have - internal search of repos - with checkboxes to easily add them for some action - maybe with filtering (like list all big repos, list only private repos etc) - expand a list of repos to also include all it's forks - maybe a search to find similar repos (like similar files or a shared git history for unreal forks) - quarantine a list of repos (basically: lock, rename and move to another org) - send a mail to users after quarantine - select repos to issue a warning mail (e. g. enourmous resource usage in private repos, no licence etc) - list quarantined repos, select them to - delete them - move them back to the original owner - allow to mark users for removal for multiple reasons, e.g. spam / scam accounts - ideally hide them - send explanation mail to user, maybe give them a configurable grace-time to appeal - auto-remove uers after - dashboard of user reports, either from Gitea or the software might also add this on it's own? Not sure ... (we could easily change the templates to have a report link on every page that reports something with this tool, but a Gitea-native feature would be much better) - ideally replace content with a descriptive message? (e. g. for the current quarantined pages, I would have liked to serve a warning alike "This page was part of a malware campaign and has been locked by Codeberg" to warn people that eventually clicked a bad link somewhere not to do this again ...) - maybe some transparent dashboard which actions have been taken and why (visible to Codeberg users or members) - internally save a history of actions for review - list users and which action has already been taken - select and disable user accounts (maybe from the previous user/action list)
Sign in to join this conversation.
No Assignees
3 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.