FEATURE: rate limit resend invites

2016-06-07 01:06:59 +05:30 · 2016-06-07 01:06:59 +05:30 · a9c6df198c
parent 35337cd687
commit a9c6df198c
3 changed files with 19 additions and 5 deletions
--- a/app/assets/javascripts/discourse/controllers/user-invited-show.js.es6
+++ b/app/assets/javascripts/discourse/controllers/user-invited-show.js.es6
@ -1,5 +1,6 @@
 import Invite from 'discourse/models/invite';
 import debounce from 'discourse/lib/debounce';
+import { popupAjaxError } from 'discourse/lib/ajax-error';

 // This controller handles actions related to a user's invitations
 export default Ember.Controller.extend({
@ -96,7 +97,7 @@ export default Ember.Controller.extend({
      const self = this;
      Invite.reinviteAll().then(function() {
        self.set('reinvitedAll', true);
-      });
+      }).catch(popupAjaxError);
    },

    loadMore() {
--- a/app/assets/javascripts/discourse/models/invite.js.es6
+++ b/app/assets/javascripts/discourse/models/invite.js.es6
@ -1,3 +1,5 @@
+import { popupAjaxError } from 'discourse/lib/ajax-error';
+
 const Invite = Discourse.Model.extend({

  rescind() {
@ -9,11 +11,13 @@ const Invite = Discourse.Model.extend({
  },

  reinvite() {
-    Discourse.ajax('/invites/reinvite', {
+    const self = this;
+    return Discourse.ajax('/invites/reinvite', {
      type: 'POST',
      data: { email: this.get('email') }
-    });
-    this.set('reinvited', true);
+    }).then(function() {
+      self.set('reinvited', true);
+    }).catch(popupAjaxError);
  }

 });
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@ -1,3 +1,5 @@
+require_dependency 'rate_limiter'
+
 class InvitesController < ApplicationController

  # TODO tighten this, why skip check on everything?
@ -127,19 +129,26 @@ class InvitesController < ApplicationController

  def resend_invite
    params.require(:email)
+    RateLimiter.new(current_user, "resend-invite-per-hour", 10, 1.hour).performed!

    invite = Invite.find_by(invited_by_id: current_user.id, email: params[:email])
    raise Discourse::InvalidParameters.new(:email) if invite.blank?
    invite.resend_invite
-
    render nothing: true
+
+  rescue RateLimiter::LimitExceeded
+    render_json_error(I18n.t("rate_limiter.slow_down"))
  end

  def resend_all_invites
    guardian.ensure_can_invite_to_forum!
+    RateLimiter.new(current_user, "resend-all-invites-per-day", 1, 1.day).performed!

    Invite.resend_all_invites_from(current_user.id)
    render nothing: true
+
+  rescue RateLimiter::LimitExceeded
+    render_json_error(I18n.t("rate_limiter.slow_down"))
  end

  def check_csv_chunk