openstreetmap / openstreetmap-website

The Rails application that powers OpenStreetMap
https://www.openstreetmap.org/
GNU General Public License v2.0
2.22k stars 920 forks source link

Rate-limit on (anonymous) notes? #4376

Open Kovoschiz opened 1 year ago

Kovoschiz commented 1 year ago

Problem

There are many issues from (anonymous) notes, including gibberish spam that takes effort from both ordinary users and DWG to close. https://community.openstreetmap.org/t/we-dont-need-anonymous-notes/105335/

Description

I want to know if there rate limits on (anonymous) notes now. The number could be made public, following other rate limits, to allow users to assess the local situation in spamming and unhelpful notes perhaps from possible IP circumvention for more detailed reports

Screenshots

No response

tomhughes commented 1 year ago

This is a bug tracker, not a place for asking questions - that would probably have been better done on the community thread that you refer to.

I'll assume that we should treat this as a request to add such a limit, though it's a relatively tricky thing to do at the moment due to the strange way notes are modelled in the database - if people want to help with this that the plan outlined in #3831 would be a good start.

Kovoschiz commented 1 year ago

Sorry, Github's issue template included questions as something that can be raised here. Didn't want to @-you or someone, or everyone there in the absence of a team mention. If the forum is preferred, it would be nice if there is a dedicated tag (openstreetmap-website is 1 char too long; https://community.openstreetmap.org/tag/website is not exclusively used for this website) or even subsection. Then it can be redirected from https://github.com/openstreetmap/openstreetmap-website/blob/master/.github/ISSUE_TEMPLATE/config.yml along other channels. And yes, I hope to see it added as mentioned there. Notes are more managable than destructive changesets, so it can certainly wait if the system has to be overhauled.

tomhughes commented 1 year ago

I wasn't aware when I initially replied that the community thread had already misled people by suggesting there were rate limits.

In general the whole thread is something of an overreaction to one incident that was almost certainly not deliberate and was stopped (by me) after a few hours - as should be fairly obvious from the list that was posted in the thread what likely happened was that some idiot "security researcher" ran a script that was trying injection attacks and they ended up generating lots of notes containing fragments of those attempts precisely because we did not fall victim and correctly escaped them all.

opk12 commented 7 months ago

Tenths of anonymous notes opened in a short timeframe is a signal that the reporter is doing something wrong, or that the reporter should start mapping.

In Italy, we do not have a PD source of street names. The government DB is called ANNCSU and is CC BY 4.0. So we have whole towns without street names.

The Italian community has recently discussed multiple cases where someone (presumably the same person) regularly covers towns with a lot of non-actionable anonymous notes, in a timeframe of a couple hours, declaring they copied from ANNCSU. So I thought to ask for a rate limit.

This is not just one episode, this happens regularly.

The anonymous person can always make an account and take the legal responsibility to import themselves.

b

AntonKhorev commented 7 months ago

With the volume of ~200 notes per hour it might be possible to experiment with limits per specific bounding boxes. Unlike map edits, all of this goes fully through osm-website, no cgimap involved, so there's only one place in code to modify.