Chocobozzz
commented
3 weeks ago Thanks for reporting this issue, but this is a duplicate of https://github.com/Chocobozzz/PeerTube/issues/3283
As a side note you can also try to still have registrations enabled but with registration approval enabled: https://docs.joinpeertube.org/admin/managing-users#registration-approval
vencabot
Describe the problem to be solved
My instance has a quota of '0' for every user but myself, because I want for people to be able to create accounts to interact with my content (and content on other PeerTube servers) without them being able to create videos on my server. That's worked great!
Last night, somebody (probably a malicious actor) created an account on my server and ran several live streams before quickly deleting their account. I know this because I received a bunch of e-mails about the new user registering, then a bunch of "this video was automatically blacklisted: 'Live' by [username]". Part of why I assume this was a malicious actor was that a.) they deleted their account immediately, and b.) they managed to start these Lives even though I have the 'Publish' button disabled on my server via the plug-in, so they must have used a direct URL to publish the Lives.
This prompted me to check my server's settings, and I see that, of course, 'Lives' are enabled for users, which they can apparently do even with a quota of '0'. I disabled Lives, and now I also can't stream to my own server. It seems my only recourse may be to disable registrations, but that's not really what I want to do.
Describe the solution you would like
Video quota can be set server-wide but be manipulated per-user. This should be the same case for Lives; I should be able to disable them server-wide but enable them per-user (me).
Also, this should probably be its own Issue, but I had no notifications and nothing visible in my moderation menus regarding this user or their many auto-blacklisted videos, presumably because the account and their videos were already deleted. If I didn't have e-mail set up for my server, I would have never known about this. That seems like a problem for moderation and administration. Even if an account / the videos are deleted, some overt record should exist, I feel.
If I perused PeerTube's technical logs, I'm sure I could create some record, which is possible because I'm also the system admin and have technical knowledge -- but for general administration and moderation, maybe there should be an accessible permanent record of these sorts of comings-and-goings.
As always, thank you for all of the work that you've done to continuously improve PeerTube. I understand that your manpower is very limited and that you've got your hands full with other improvements, I'm sure! In the short term, disabling registration on my server (or only enabling Lives right before I go live and disabling them when my stream is over) are workarounds that don't cause me much stress. Just wanted to raise awareness for this issue, which I'd never thought of before now, myself.