Multitenant SA abuse prevention and superuser panel

User and course limits

To make it harder to abuse the new multitenant Source Academy which allows anyone to create a course and import users into the system, by default:

• users are limited to creating 5 courses
  • need to add a creator_id field to the course table, to track who created a course
  • alternatively, just count how many courses a user has admin role in?
• courses are limited to 1000 users
• courses are not allowed to create Sourcecasts or upload game resources (as that would allow them to upload arbitrary files to our S3 buckets)

(limits should be configurable)

Users/course creators will be able to apply for their courses to be "approved"/"verified"/"certified" and thereby have these limits lifted. Users can also apply for their accounts to be verified, and have the limit on courses lifted.

Choices to make

? How should the application process work? Options:

1. Don't spend any effort on it: just let course creators email us manually
2. Add in some sort of application form in the Source Academy
   • Would this persist the application in the database? Or just send an email for them?
   • HW's thoughts: not worth the effort

? How flexible do we want to be with the limits?

1. Just a boolean toggle: verified courses have no limits at all, unverified courses are subject to said limits
2. Something in between 1 and 3
3. Fully configurable: we can change the course size limit, as well as allow Sourcecasts and uploading game resources independently, for each course

? What does a user being verified allow them to do?

1. Just lets them create unlimited courses
2. Also makes the courses they create automatically verified

Superuser panel

There should be a superuser panel that:

• lists users and provides some actions (verify/unverify, possibly more in future?)
• lists courses and provides some actions (verify/unverify, delete, possibly more in future?)