When you get spammed and want to remove a user and block the same user name from being created the normal routine is to put xxxxxx and the admins email address in .htpasswd.

But if you do that now a person can re-register with the same user name and that RESETS THE PASSWORD in the .htpasswd file.

We need to block this because spammer have begun to attach html files to their home directory and use your TWiki server as a web server.

And then they add references to this pub dir from many other blogs etc.

You will end up with a banned IP address this way. So it is essential that you can remove such a user and prevent him from creating the same user name again.

So the code should check for the presence of an entry in .htpasswd before it overwrites with a new one.

When he resets the password the email goes to the admin and he will never know what it was reset to so that is covered.

KJL

No, that's not right. An existing user is prevented from re-registering by checking for a home topic. The password manager isn't involved. You can prevent a second registration by leaving their user topic, and xxxx'ing their password.

Discarded.

CC

Yes. I accept the discard with no further objection.

• To surprise you
• Because is will be a terrible hack to have a special treatment for the htaccess type password manager and the opposite for other types. E.g. in LDAP we would not prevent registration just because the user already have a password.

The right way to block the evil user is.

• Alter his entry in the .htpasswd file. Here it is important BOTH to alter the encrypted password to for example xxxxxx and change the email address to your own. Then YOU get the emails when the sucker tries to reset the password.
• Clean out the user topic. Empty it completely.
• Delete the ,v file from the users topic to get rid of history
• Set the ALLOWTOPICCHANGE on the topic to Main.TWikiAdminGroup. Otherwise the spammer will login as someone else and alter the old user topic putting back the spam attachments.

KJL

Let's leave this discarded, but here are my 2c:

I do not want to have a BuyViagra topic left in my installation, spammer accounts should be removed and it should be possible to prevent an account name from being re-used. Cairo had the .htpasswd entry test. I do not care how this is done in TWiki 4, but it must be supported.

-- PTh

I just had someone register as TestTest on TWiki.org even though that account existed as TestTest:xxxxxxxxxxxxx:peter@thoeny.org. Registration with bogus accounts happens quite often; not locking out those names raises my support load (yet again). We really need a solution to prevent registration of a set of names (as was possible in Cairo).

I am re-opening this, with summary changed from "Cannot lock out re-registration by using htpasswd file anymore" to "Cannot lock out re-registration of bogus user names". This is urgent, but not a release blocker, hence set to "normal".

FYI, here are the bogus names that used to be locked out on TWiki.org while running Cairo:

AAAVeryGoodSite:xxxxxxxxxxxxx:peter@thoeny.org
AaaBbb:xxxxxxxxxxxxx:peter@thoeny.org
AbcUser:xxxxxxxxxxxxx:peter@thoeny.org
AbcZ:xxxxxxxxxxxx:peter@thoeny.org
AiroYang:xxxxxxxxxxxxx:peter@thoeny.org
AlCapone:xxxxxxxxxxxxx:peter@thoeny.org
AndersAnd:xxxxxxxxxxxxx:peter@thoeny.org
AnnaMaria:xxxxxxxxxxxxx:peter@thoeny.org
ArthurMartin:xxxxxxxxxxxxx:peter@thoeny.org
AsdfAsdf:xxxxxxxxxxxxx:peter@thoeny.org
AustraliaRealEstatenike:xxxxxxxxxxxxx:peter@thoeny.org
BabyRoger:xxxxxxxxxxxxx:peter@thoeny.org
BartSimpson:xxxxxxxxxxxxx:peter@thoeny.org
BillGates:xxxxxxxxxxxxx:peter@thoeny.org
BlueKobalt:xxxxxxxxxxxxx:bluekobalt@hotmail.com
BoBYKING:xxxxxxxxxxxxx:peter@thoeny.org
BobBob:xxxxxxxxxxxxx:peter@thoeny.org
BobJohnson:xxxxxxxxxxxxx:peter@thoeny.org
BobMarley:xxxxxxxxxxxxx:peter@thoeny.org
BobSmith:xxxxxxxxxxxxx:peter@thoeny.org
BubiBaer:xxxxxxxxxxxxxx:peter@thoeny.org
CaymanAg:xxxxxxxxxxxxx:peter@thoeny.org
CeciTest:xxxxxxxxxxxxx:peter@thoeny.org
ChadAustin:xxxxxxxxxxxxx:aegis@aegisknight.org
DaDa:xxxxxxxxxxxxx:peter@thoeny.org
DarrinDexter:xxxxxxxxxxxxx:peter@thoeny.org
DataTeddy:xxxxxxxxxxxxx:peter@thoeny.org
DharmaR:xxxxxxxxxxxxx:peter@thoeny.org
DoggyDoggy:xxxxxxxxxxxxx:peter@thoeny.org
DzyWeb:xxxxxxxxxxxxx:peter@thoeny.org
EdelweisRitt:xxxxxxxxxxxxx:edelweis@ceitec.org.br
FilipinaCanlas:8zyQtfc3KN5wk:fxxxxxxx@yahoo.com
FirstLast:xxxxxxxxxxxxx:peter@thoeny.org
FirstnameLastname:xxxxxxxxxxxxx:peter@thoeny.org
FooBar:xxxxxxxxxxxxx:peter@thoeny.org
FredBloggs:xxxxxxxxxxxxx:peter@thoeny.org
GioGio:xxxxxxxxxxxxx:peter@thoeny.org
GuestGuest:xxxxxxxxxxxxx:peter@thoeny.org
GuestUser:xxxxxxxxxxxxx:peter@thoeny.org
HalloHallo:xxxxxxxxxxxxx:peter@thoeny.org
HansDampf:xxxxxxxxxxxxx:peter@thoeny.org
HansWurst:xxxxxxxxxxxxx:peter@thoeny.org
HelloWorld:xxxxxxxxxxxxx:peter@thoeny.org
IchDu:xxxxxxxxxxxxx:peter@thoeny.org
JackSpam:xxxxxxxxxxxxx:peter@thoeny.org
JeroenRoeterd:OPLgTd8mNC7XA:jeroen@xxxxxxx.com
JoeBloe:xxxxxxxxxxxxx:peter@thoeny.org
JoeBob:xxxxxxxxxxxxx:peter@thoeny.org
JoeJohnson:xxxxxxxxxxxxx:peter@thoeny.org
JoeNice:xxxxxxxxxxxxx:peter@thoeny.org
JoeSmith:xxxxxxxxxxxxx:peter@thoeny.org
JoeUser:xxxxxxxxxxxxx:peter@thoeny.org
JohnDoe:xxxxxxxxxxxxx:peter@thoeny.org
JohnSmith:xxxxxxxxxxxxx:peter@thoeny.org
JohnSmithe:xxxxxxxxxxxxx:peter@thoeny.org
JosefStalin:xxxxxxxxxxxxx:peter@thoeny.org
JustTesting:xxxxxxxxxxxxx:peter@thoeny.org
KingBonehead:xxxxxxxxxxxxx:peter@thoeny.org
LessWeight:xxxxxxxxxxxxx:peter@thoeny.org
MaEx:xxxxxxxxxxxxx:peter@thoeny.org
MangeurDeCigogne:xxxxxxxxxxxxx:peter@thoeny.org
MaxMuster:xxxxxxxxxxxxx:peter@thoeny.org
MichaelPSparks:xxxxxxxxxxxxx:peter@thoeny.org
MichaelSp:xxxxxxxxxxxxx:zathrus@mad.scientist.com
MickeyMouse:xxxxxxxxxxxxx:peter@thoeny.org
MikeSparks:xxxxxxxxxxxxx:peter@thoeny.org
MrBig:xxxxxxxxxxxxxx:peter@thoeny.org
MrX:xxxxxxxxxxxxx:peter@thoeny.org
NewGood:xxxxxxxxxxxxx:peter@thoeny.org
NobodyUser:xxxxxxxxxxxxx:peter@thoeny.org
NoneNone:xxxxxxxxxxxxx:peter@thoeny.org
PepePepe:xxxxxxxxxxxxx:peter@thoeny.org
PeterPan:xxxxxxxxxxxxx:peter@thoeny.org
QuartoAno:xxxxxxxxxxxxx:peter@thoeny.org
RonHonberg:xxxxxxxxxxxxx:peter@thoeny.org
RyanRonin:xxxxxxxxxxxxx:peter@thoeny.org
SandBox:xxxxxxxxxxxxx:peter@thoeny.org
SharingTalk:xxxxxxxxxxxxx:peter@thoeny.org
SkyeeChee:xxxxxxxxxxxxx:peter@thoeny.org
SonicTree:xxxxxxxxxxxxx:peter@thoeny.org
StateBank:xxxxxxxxxxxxx:peter@thoeny.org
SteveGargin:xxxxxxxxxxxxx:sghelp1999@yahoo.com
SunilChoubey:xxxxxxxxxxxxx:peter@thoeny.org
SuperAdmin:xxxxxxxxxxxxx:peter@thoeny.org
TWikiRobot:xxxxxxxxxxxxx:peter@thoeny.org
TWikiRoot:xxxxxxxxxxxxx:peter@thoeny.org
TWikiVisitor:xxxxxxxxxxxxx:peter@thoeny.org
TestMe:xxxxxxxxxxxxx:peter@thoeny.org
TestTest:xxxxxxxxxxxxx:peter@thoeny.org
TestTest1:xxxxxxxxxxxxx:peter@thoeny.org
TestTest2:xxxxxxxxxxxxx:peter@thoeny.org
TestTestTest:xxxxxxxxxxxxx:peter@thoeny.org
TestTester:xxxxxxxxxxxxx:peter@thoeny.org
TestTesting:xxxxxxxxxxxxx:peter@thoeny.org
TestUser:xxxxxxxxxxxxx:peter@thoeny.org
TesterTester:xxxxxxxxxxxxx:peter@thoeny.org
TwikiGuest:xxxxxxxxxxxxx:peter@thoeny.org
TwikiUser:xxxxxxxxxxxxx:peter@thoeny.org
VitSet:xxxxxxxxxxxxx:peter@thoeny.org
WebRaja:xxxxxxxxxxxxx:peter@thoeny.org
WikiAdmin:xxxxxxxxxxxxx:peter@thoeny.org
WikiAmin:xxxxxxxxxxxxx:peter@thoeny.org
WikiMan:xxxxxxxxxxxxx:peter@thoeny.org
WikiTest:xxxxxxxxxxxxx:peter@thoeny.org
WikiUser:xxxxxxxxxxxxxx:peter@thoeny.org
WikiWiki:xxxxxxxxxxxxx:peter@thoeny.org
WikiWikiGuest:xxxxxxxxxxxxx:peter@thoeny.org
WileECoyote:xxxxxxxxxxxxx:peter@thoeny.org
WpB:xxxxxxxxxxxxx:peter@thoeny.org

-- PTh

There is no need to keep their topic around. If the user exists in TWikiUsers, then they are blocked from re-registering, even if they have no personal topic.

I added a test for existing password. Someone please test what happens if verification is off!

CC