Indico account security

chrisrouch · October 29, 2024, 10:25am

Hello,

We’ve recently had several suspicious account reported to us. They have free email addresses (mostly gmail) and claim affiliation to an Institution.

I’ve been asked find the ip address used to created the accounts. Is this logged somewhere - I cannot see it in indico.log?

Is it also possible to block account creation from certain email addresses, or to refer them to a adminstrator for addtional checks before the account is created?

And is it possible to prevent creation of personal API tokens without approval from an administrator?

Thanks and regards,

Chris

ThiefMaster · October 29, 2024, 12:13pm

We don’t store it per se, but if you look at the log file just correlate it with the account creation timestamp and you’ll have it.

Both are available in the cog menu on /admin/users/:

You cannot force moderation only for blacklisted emails though, so it’s really a hard blacklist that prevents registration.

Note that the API setting only applies to “API tokens” but not the legacy “HTTP API” keys.

chrisrouch · October 29, 2024, 1:00pm

Thanks! I think this is what we need.

Chris