Merge pull request #3460 from techAPJ/patch-3

FIX: rate limit topic invitations
This commit is contained in:
Régis Hanol 2015-05-13 12:55:20 +02:00
commit d90e0fe66b
4 changed files with 30 additions and 0 deletions

View File

@ -557,12 +557,17 @@ class Topic < ActiveRecord::Base
end
if username_or_email =~ /^.+@.+$/ && !SiteSetting.enable_sso
# rate limit topic invite
RateLimiter.new(invited_by, "topic-invitations-per-day", SiteSetting.max_topic_invitations_per_day, 1.day.to_i).performed!
# NOTE callers expect an invite object if an invite was sent via email
invite_by_email(invited_by, username_or_email, group_ids)
else
# invite existing member to a topic
user = User.find_by_username(username_or_email)
if user && topic_allowed_users.create!(user_id: user.id)
# rate limit topic invite
RateLimiter.new(invited_by, "topic-invitations-per-day", SiteSetting.max_topic_invitations_per_day, 1.day.to_i).performed!
# Notify the user they've been invited
user.notifications.create(notification_type: Notification.types[:invited_to_topic],

View File

@ -933,6 +933,7 @@ en:
max_topics_per_day: "Maximum number of topics a user can create per day."
max_private_messages_per_day: "Maximum number of messages users can create per day."
max_invites_per_day: "Maximum number of invites a user can send per day."
max_topic_invitations_per_day: "Maximum number of topic invitations a user can send per day."
suggested_topics: "Number of suggested topics shown at the bottom of a topic."
limit_suggested_to_category: "Only show topics from the current category in suggested topics."

View File

@ -675,6 +675,7 @@ rate_limits:
max_flags_per_day: 20
max_edits_per_day: 30
max_invites_per_day: 10
max_topic_invitations_per_day: 30
max_topics_in_first_day: 5
max_replies_in_first_day: 10
tl2_additional_likes_per_day_multiplier: 1.5

View File

@ -371,6 +371,29 @@ describe Topic do
end
it "rate limits topic invitations" do
SiteSetting.stubs(:max_topic_invitations_per_day).returns(2)
RateLimiter.stubs(:disabled?).returns(false)
RateLimiter.clear_all!
start = Time.now.tomorrow.beginning_of_day
freeze_time(start)
user = Fabricate(:user)
topic = Fabricate(:topic)
freeze_time(start + 10.minutes)
topic.invite(topic.user, user.username)
freeze_time(start + 20.minutes)
topic.invite(topic.user, "walter@white.com")
freeze_time(start + 30.minutes)
expect {
topic.invite(topic.user, "user@example.com")
}.to raise_exception
end
context 'bumping topics' do