Thanks for letting us know about that, Max. I have reverted the page.
Yes, that page and various others are publicly modifiable, so that the
GroupServer development community can participate in maintaining the
documentation.
This is a good example of the use case for
<https://projects.iopen.net/groupserver/ticket/386> but in this case, your
participation did the job. Thank you again :).
Thanks to both Max and Dan.
As Dan said, anyone who is logged-in can change the GroupServer page
on this site¹. Looking at the History tab² I see that the person who
changed the page was "moran432". This person also happens to be a
member of this group.
I checked the log that GroupServer keeps of user-activity³. I see
that "moran432" joined this group five minutes before defacing the
GroupServer page. It appears to me that "moran432" joined this group
with the sole purpose of defacing the GroupServer page.
Based on this I have decided to take action to prevent further abuse by
"moran423". First, I have blocked the email address of "moran423"⁴.
Second, I am about to remove him or her from this group. If "moran423"
contacts me and provides an adequate reason for the defacement I will
unblock his or her address, and allow him or her to rejoin the group.
The way that I tend to secure sites is to have
* *Slightly* more lose security than necessary,
* Very good logging, and
* A way of rolling back changes.
That way even if I do mess up⁵ — and the security is too lax — then I
have a good record of what happened, and I can fix things afterwards.
Kind regards, and thanks again,
Michael
*Footnotes*
1. The GroupServer page on this site
<http://groupserver.org/groupserver>
2. The Histroy tab is also visible to any logged-in member.
3. User-activity is stored in the "audit_event" table, for what it
is worth.
4. To block an email address you add it to the "email_blacklist"
table.
5. As I am human, and security is complex, I *am* likely to mess up.
