From 4324a157e0bef819bb0c462e6c353f5dd01d2edf Mon Sep 17 00:00:00 2001
From: Arpit Jalan <arpit@techapj.com>
Date: Wed, 13 May 2015 12:34:05 +0530
Subject: [PATCH] FIX: rate limit topic invitations

---
 app/models/topic.rb          |  5 +++++
 config/locales/server.en.yml |  1 +
 config/site_settings.yml     |  1 +
 spec/models/topic_spec.rb    | 23 +++++++++++++++++++++++
 4 files changed, 30 insertions(+)

diff --git a/app/models/topic.rb b/app/models/topic.rb
index 81fafff80..c6111c005 100644
--- a/app/models/topic.rb
+++ b/app/models/topic.rb
@@ -557,12 +557,17 @@ class Topic < ActiveRecord::Base
     end
 
     if username_or_email =~ /^.+@.+$/ && !SiteSetting.enable_sso
+      # rate limit topic invite
+      RateLimiter.new(invited_by, "topic-invitations-per-day", SiteSetting.max_topic_invitations_per_day, 1.day.to_i).performed!
+
       # NOTE callers expect an invite object if an invite was sent via email
       invite_by_email(invited_by, username_or_email, group_ids)
     else
       # invite existing member to a topic
       user = User.find_by_username(username_or_email)
       if user && topic_allowed_users.create!(user_id: user.id)
+        # rate limit topic invite
+        RateLimiter.new(invited_by, "topic-invitations-per-day", SiteSetting.max_topic_invitations_per_day, 1.day.to_i).performed!
 
         # Notify the user they've been invited
         user.notifications.create(notification_type: Notification.types[:invited_to_topic],
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 266051ca6..f6fbe1eb8 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -933,6 +933,7 @@ en:
     max_topics_per_day: "Maximum number of topics a user can create per day."
     max_private_messages_per_day: "Maximum number of messages users can create per day."
     max_invites_per_day: "Maximum number of invites a user can send per day."
+    max_topic_invitations_per_day: "Maximum number of topic invitations a user can send per day."
 
     suggested_topics: "Number of suggested topics shown at the bottom of a topic."
     limit_suggested_to_category: "Only show topics from the current category in suggested topics."
diff --git a/config/site_settings.yml b/config/site_settings.yml
index 8bb55f956..c53d526ee 100644
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -675,6 +675,7 @@ rate_limits:
   max_flags_per_day: 20
   max_edits_per_day: 30
   max_invites_per_day: 10
+  max_topic_invitations_per_day: 30
   max_topics_in_first_day: 5
   max_replies_in_first_day: 10
   tl2_additional_likes_per_day_multiplier: 1.5
diff --git a/spec/models/topic_spec.rb b/spec/models/topic_spec.rb
index f15054481..168e1ec91 100644
--- a/spec/models/topic_spec.rb
+++ b/spec/models/topic_spec.rb
@@ -371,6 +371,29 @@ describe Topic do
 
   end
 
+  it "rate limits topic invitations" do
+    SiteSetting.stubs(:max_topic_invitations_per_day).returns(2)
+    RateLimiter.stubs(:disabled?).returns(false)
+    RateLimiter.clear_all!
+
+    start = Time.now.tomorrow.beginning_of_day
+    freeze_time(start)
+
+    user = Fabricate(:user)
+    topic = Fabricate(:topic)
+
+    freeze_time(start + 10.minutes)
+    topic.invite(topic.user, user.username)
+
+    freeze_time(start + 20.minutes)
+    topic.invite(topic.user, "walter@white.com")
+
+    freeze_time(start + 30.minutes)
+
+    expect {
+      topic.invite(topic.user, "user@example.com")
+    }.to raise_exception
+  end
 
   context 'bumping topics' do