fdo-approve-users: sanitize all external user's profiles (!254) · Merge requests · freedesktop.org / helm-gitlab-deployment

Peter Hutterer requested to merge whot/helm-gitlab-deployment:wip/sanitize-all-profiles into main Sep 05, 2024

Gitlab has the option of a private profile but that merely hides the profile activity, not the profile information which makes it an attractive target for spammers: create gitlab account, fill bio with spam, wait for google to pick it up, profit.

Run our script in a cron job and any user that has a website url or biography set wipe the whole profile. This lets real users set their handles without falling afoul of this while hopefully caching most bot spam.

Since bots will re-fill that information we'll have to continually do it but the cutoff is 60 days after which the spammers hopefully got purged anyway.

Likewise, a public email is removed from display since we don't need that to advertise whatever website they have.

The only field left on purpose out is "organization", that's a somewhat legitmate field for users to keep.

Note that the avatar remains as-is, couldn't figure out how to set this through the console (starts with AvatarUploader I guess, but then?)

Note: if we merge this we need to disable the damspam sanitize-profiles job in fdo-bots otherwise that one will overwrite us again.

Edited Sep 05, 2024 by Peter Hutterer

Admin message

fdo-approve-users: sanitize all external user's profiles

Merge request reports