Dashboard > BobsGear Main Space > ... > Project Planning > Letter to Jonathan Nolen, Director of Developer Relations At Atlassian > Are These Reasonable Uses For a Single Node 500 User Confluence License > Should a Confluence instance with limited user license count be exposed to the public internet for user account creation
BobsGear Main Space
Should a Confluence instance with limited user license count be exposed to the public internet for user account creation
Added by Garnet R. Chaney, last edited by Garnet R. Chaney on Apr 25, 2007  (view change)
Labels: 
(None)


Confluence in it's current incarnation (<2.4.3) is very risky for exposure to the public internet. Exposing a system that is metered per user to the public internet, where anyone can come and signup, has all the risks of placing your private phone on a street and inviting anyone to come and call anywhere they want.

Confluence does not have enough controls on new user account creation to make placing a limited user count license on the public internet a sensible thing to do. Some internet companies try to charge their clients for bandwidth usage without having proper tools in place for the user to monitor their bandwidth usage. That's not right because the only way the customer knows they've gone over the limit is when they receive a bill for excess bandwidth. Having limited user licenses for Confluence, without robust account creaion and reporting tools, creates a similar situation for a public internet site.

For example, there doesn't seem to be any system for an administrator to see who the most recent signups are, or get much visibility into what they've done on the system. Without an account approval mechanism, a quick run of new users (possibly due to being slashdotted, or other sudden traffic surge), could quickly overrun the allowed number of user accounts.

If too many accounts are created, (as happens when an evaluation license expires), it prevents the valid users of the system from creating any more content until an administrator comes and fixes the situation by deleting users. Confluence could do several things to prevent this scenario:

  • Moderated signups - New users don't count against the user license total (and don't get page creation rights) until the admin approves them.
  • Cap on new user accounts - Administrator of a 500 user license system, (and with 400 registered users) could set a limit of 50 new account creations, so that a surge in registrations would get capped while he'd still have 50 user accounts remaining on his license.
  • Lack of account email validation is a glaring omission (having users receive an email with a link that must be clicked gives some level of affirmative identification of the individual)
    • Does have the drawback of creating a way for someone to send spams, by creating bogus accounts with one or more target email addresses to receive the signup messages.

Bobsgear project would try to address these kinds of issues

It's exactly for this kind of reason that the Bobsgear project outlines development projects to remedy these issues.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.4.3 Build:#705 Mar 21, 2007) - Bug/feature request - Contact Administrators
Complete Wiki Notation Guide