This setting is way too low by default if you are using Discourse in a large organisation.
One of our clients hit the limit within days of launch, 3 users is way too low.
I completely missed this setting (we have a closed forum, users are moderated after signup, so I completely skipped the “Spam” part of the settings) when setting up. I only found out by chance, when someone reported via our support-desk.
I suggest to up this to something higher (e.g. 25) by default, if spam turns out to be a problem, users will find this setting and can consciously set it lower.
If Discourse is hosted on the internet, and you have a diverse user base, you’re fine.
If Discourse is hosted internally, and your users are on your intranet, you’re also fine, as Discourse will still see all users coming from their own IP addresses.
If Discourse is hosted externally, and a large portion of your users are behind NAT and therefore share an IP address, you could run into this – but only if no user from that IP address is a staff member or has earned trust level 2, which seems very unlikely if your whole user base is basically coming from a single IP address.
This is an incorrect characterisation of the situation. It would be more accurate to say, “if you are using Discourse, hosted on in the Internet, in a large organisation which is all stuck behind a NAT gateway that only has a single IP address, which hasn’t been whitelisted, and isn’t using a proxy capable of setting X-Forwarded-For and being trusted, and doesn’t have IPv6, and somehow hasn’t managed to trip any of the auto-whitelisting functionality designed to avoid this particular scenario”. But that’s less catchy.
Conversely, if your NAT turns out to be a problem, users will find this setting and can consciously set it higher. Or deploy IPv6.
Or in my case “if you are using Discourse, hosted on the internet, and invite a couple people at a client to join your new community” ← not a very strange usecase, is it?
Sure, which is why it’s a site setting, and not a hard-coded value buried deep in the code. It’s also quite different from the scenario you described originally.
Fine, don’t change it, it’s indeed no longer a problem for me now that I know about it, just thought I’d help with a (in my opinion) useful tweak of the default setting
I saw that and I think the intent behind this was quite elegant.
That said, I reported to you that there is a blind spot in the reasoning: if more than three people from a new company (same location, same IP-address, not seen before) sign up in a short time, then the default value prevents them from doing so. This is a bad first impression to your new members.
I understand this, I am (trying to) arguing that the tradeoff-point needs tweaking
As an admin of my forum, I’ve never recieved any notifications about exceeding any limits on default settings for versions 1.8.x-1.9.x. And I’ve never seen any mentions in admin panel. May it indicate that all 1500 users were registered smoothly and nobody was banned?
I have some reasonable questions on it:
Do users receive a notification in case of exceeding the limit for their IP address?
Do admins receive a notification in case of exceeding the limit by some users attempts to register?
Is anywhere logged blocked IPs due to exceeding the limit?
In case of incorrect configured external proxy Discourse may get always 127.0.0.1 as an IP for all users. My forum had been working with bad configured nginx for months until I fixed it.
In some cases of SSO, there is no registration IP address passed by SSO-host to Discourse. Is it possible a hole for spammers?