SECURITY: Limit email invitations to topic
This commit is contained in:
parent
a0537816fb
commit
cc84ea2444
|
@ -113,6 +113,8 @@ class Invite < ActiveRecord::Base
|
|||
invite.destroy
|
||||
invite = nil
|
||||
end
|
||||
email_digest = Digest::SHA256.hexdigest(email)
|
||||
RateLimiter.new(invited_by, "reinvites-per-day-#{email_digest}", 3, 1.day.to_i).performed!
|
||||
end
|
||||
|
||||
emailed_status = if opts[:skip_email] || invite&.emailed_status == emailed_status_types[:not_required]
|
||||
|
|
|
@ -176,6 +176,24 @@ RSpec.describe Invite do
|
|||
|
||||
expect(invite.invite_key).not_to eq(another_invite.invite_key)
|
||||
end
|
||||
|
||||
context "when email is already invited 3 times" do
|
||||
before do
|
||||
RateLimiter.enable
|
||||
3.times do
|
||||
Invite.generate(user, email: "test@example.com")
|
||||
end
|
||||
end
|
||||
|
||||
after do
|
||||
RateLimiter.clear_all!
|
||||
end
|
||||
|
||||
it "raises an error" do
|
||||
expect { Invite.generate(user, email: "test@example.com") }
|
||||
.to raise_error(RateLimiter::LimitExceeded)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'when inviting to a topic' do
|
||||
|
|
Loading…
Reference in New Issue