Merge pull request #3460 from techAPJ/patch-3

FIX: rate limit topic invitations
2024-11-23 23:58:31 -05:00 · 2015-05-13 12:55:20 +02:00 · 2015-05-13 12:55:20 +02:00 · d90e0fe66b
commit d90e0fe66b
parent 8362993099 4324a157e0
4 changed files with 30 additions and 0 deletions
--- a/app/models/topic.rb
+++ b/app/models/topic.rb
@ -557,12 +557,17 @@ class Topic < ActiveRecord::Base
    end

    if username_or_email =~ /^.+@.+$/ && !SiteSetting.enable_sso
+      # rate limit topic invite
+      RateLimiter.new(invited_by, "topic-invitations-per-day", SiteSetting.max_topic_invitations_per_day, 1.day.to_i).performed!
+
      # NOTE callers expect an invite object if an invite was sent via email
      invite_by_email(invited_by, username_or_email, group_ids)
    else
      # invite existing member to a topic
      user = User.find_by_username(username_or_email)
      if user && topic_allowed_users.create!(user_id: user.id)
+        # rate limit topic invite
+        RateLimiter.new(invited_by, "topic-invitations-per-day", SiteSetting.max_topic_invitations_per_day, 1.day.to_i).performed!

        # Notify the user they've been invited
        user.notifications.create(notification_type: Notification.types[:invited_to_topic],
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -933,6 +933,7 @@ en:
    max_topics_per_day: "Maximum number of topics a user can create per day."
    max_private_messages_per_day: "Maximum number of messages users can create per day."
    max_invites_per_day: "Maximum number of invites a user can send per day."
+    max_topic_invitations_per_day: "Maximum number of topic invitations a user can send per day."

    suggested_topics: "Number of suggested topics shown at the bottom of a topic."
    limit_suggested_to_category: "Only show topics from the current category in suggested topics."
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -675,6 +675,7 @@ rate_limits:
  max_flags_per_day: 20
  max_edits_per_day: 30
  max_invites_per_day: 10
+  max_topic_invitations_per_day: 30
  max_topics_in_first_day: 5
  max_replies_in_first_day: 10
  tl2_additional_likes_per_day_multiplier: 1.5
--- a/spec/models/topic_spec.rb
+++ b/spec/models/topic_spec.rb
@ -371,6 +371,29 @@ describe Topic do

  end

+  it "rate limits topic invitations" do
+    SiteSetting.stubs(:max_topic_invitations_per_day).returns(2)
+    RateLimiter.stubs(:disabled?).returns(false)
+    RateLimiter.clear_all!
+
+    start = Time.now.tomorrow.beginning_of_day
+    freeze_time(start)
+
+    user = Fabricate(:user)
+    topic = Fabricate(:topic)
+
+    freeze_time(start + 10.minutes)
+    topic.invite(topic.user, user.username)
+
+    freeze_time(start + 20.minutes)
+    topic.invite(topic.user, "walter@white.com")
+
+    freeze_time(start + 30.minutes)
+
+    expect {
+      topic.invite(topic.user, "user@example.com")
+    }.to raise_exception
+  end

  context 'bumping topics' do