When hosting a session that is open for random users, the threat of griefers coming in and making a mess of everyone’s work is very real. While there is no technical solution to completely fix this problem, Drawpile does have some tools that help.
Typically most user logins are “guest” logins, meaning the username is not password protected. If you run your own server, you can create reserved user accounts.
Perhaps the most important use for this is creating moderator accounts. A moderator can log in to any session (even closed and password protected ones), will automatically gain operator privileges and cannot be kicked.
Other things you can do is limit server access to registered users or block certain usernames.
This is a new feature available since version 1.0.6.
You can set a password for gaining operator status with the command:
/opword "old password" "new password"
The initial password for new sessions is blank, so the set the operator password for the first time, send:
/opword "" "my secret password"
Then, users who send
my secret password as a chat message will gain operator status.
This feature can be triggered quickly by hitting F12 (customizable). When someone is vandalizing the canvas, usually the first step is to lock the session. The damage can then be undone with the undo override feature. (The undo button in user list box.) Undo override can be used even while the session is locked.
Sometimes the damage cannot be fixed easily with the usual undo override. (E.g. when the offender quickly leaves and is no longer listed in the user list.) This is where session reset comes in.
Session reset is usually used to clear out old history to make joining faster. It can also be used to reset the session to an earlier state and is thus a useful tool for recovering a vandalized session.
Session operators can kick users from the session via the user list box. The server can detect when a user is repeatedly kicked and automatically add an IP ban.
(On the TODO list: kickban button to kick+ban the selected user from this session)
Unless you trust every member of the session, it’s a good idea to limit layer controls (layer creation, deletion, etc.) to session operators. Drawpile has three levels of layer control restriction:
The “own layers” mode can be a good compromise if you need to allow users to create their own layers.
There are also a few other commands that can easily destroy entire layers: area fills and cut&paste. (External images can be pasted so this feature can also be abused to inject shock images onto the canvas.)
These operations can also be restricted to session operators. The restriction works by blocking the underlying commands (FillRect and PutImage) and thus disables all tools that use them. These include cut&paste, flood fill, annotation merging and selection fills.
Individual layers can be locked or given exclusively to certain users. For example, you might typically want to lock the background layer. An easy, if heavy handed, way to prevent users from interfering with each other is to isolate them on their own layers.
Locking a user puts them into read-only mode.
In the session settings, you can uncheck the “allow new users to draw” checkbox to lock freshly joined users automatically. This gives you time to vet new users before allowing them to fully participate in the session.
User locking only affects drawing. Locked users can still use the laser pointer and chat.