mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)
Mark Smith ([staff profile] mark) wrote in [site community profile] changelog2009-05-03 05:24 pm

[dw-free] Add rate limiting to community creation to prevent namesquatting.

[commit: http://hg.dwscoalition.org/dw-free/rev/40002de12c46]

Add rate limiting to community creation to prevent namesquatting.

Patch by [staff profile] mark.

Files modified:
  • bin/upgrading/base-data.sql
  • etc/config.pl
  • htdocs/community/create.bml
  • htdocs/community/create.bml.text
--------------------------------------------------------------------------------
diff -r 61f0008d314b -r 40002de12c46 bin/upgrading/base-data.sql
--- a/bin/upgrading/base-data.sql	Sun May 03 04:00:56 2009 +0000
+++ b/bin/upgrading/base-data.sql	Sun May 03 17:24:19 2009 +0000
@@ -570,6 +570,8 @@ UPDATE priv_list SET des='Allows a user 
 UPDATE priv_list SET des='Allows a user to edit site text in a given language. arg=Unique language code, optionally appended by |domainid.domaincode',is_public='1',privname='Translate/Update Text',scope='general' WHERE privcode='translate';
 INSERT IGNORE INTO ratelist (des, name) VALUES ('Logged when a user adds someone to their Friends list', 'addfriend');
 UPDATE ratelist SET des='Logged when a user adds someone to their Friends list' WHERE name='addfriend';
+INSERT IGNORE INTO ratelist (des, name) VALUES ('Logged when a user creates a community.', 'commcreate');
+UPDATE ratelist SET des='Logged when a user creates a community.' WHERE name='commcreate';
 INSERT IGNORE INTO ratelist (des, name) VALUES ('Logged when wrong username/password is used.', 'failed_login');
 UPDATE ratelist SET des='Logged when wrong username/password is used.' WHERE name='failed_login';
 INSERT IGNORE INTO ratelist (des, name) VALUES ('Logged when a user sends a free VGift', 'freevgifts');
diff -r 61f0008d314b -r 40002de12c46 etc/config.pl
--- a/etc/config.pl	Sun May 03 04:00:56 2009 +0000
+++ b/etc/config.pl	Sun May 03 17:24:19 2009 +0000
@@ -332,6 +332,8 @@
             'rateallowed-lostinfo' => 3,
             'rateperiod-failed_login' => 60*5, # 5 minutes
             'rateallowed-failed_login' => 3,
+            'rateperiod-commcreate' => 86400*7, # 7 days / 1 week
+            'rateallowed-commcreate' => 3,
             'staff_headicon' => 0,
             thread_expander => 0,
             'xpost_accounts' => 0,
diff -r 61f0008d314b -r 40002de12c46 htdocs/community/create.bml
--- a/htdocs/community/create.bml	Sun May 03 04:00:56 2009 +0000
+++ b/htdocs/community/create.bml	Sun May 03 17:24:19 2009 +0000
@@ -44,6 +44,10 @@ SUBMIT:
         return "<b>$ML{'Error'}</b>: $ML{'.error.postrequired'}" unless LJ::did_post();
         # Note: If a captcha check is added, then form auth would be redundant
         return "<b>$ML{'Error'}</b>: $ML{'error.invalidform'}" unless LJ::check_form_auth();
+
+        # rate limit
+        return "<b>$ML{'Error'}</b>: $ML{'.error.ratelimited'}"
+            unless $remote->rate_log( 'commcreate', 1 );
 
         my $user = LJ::canonical_username($POST{user});
         my $title = $POST{title} || $user;
diff -r 61f0008d314b -r 40002de12c46 htdocs/community/create.bml.text
--- a/htdocs/community/create.bml.text	Sun May 03 04:00:56 2009 +0000
+++ b/htdocs/community/create.bml.text	Sun May 03 17:24:19 2009 +0000
@@ -12,6 +12,8 @@
 .error.notvalidated2=You must <a [[aopts]]>validate your email address</a> in order to create a community.
 
 .error.postrequired=POST required.
+
+.error.ratelimited=You have exceeded the maximum number of communities you can create in a week.  Please try again later.
 
 .error.username.inuse=Account name already in use; please select a different one.
 
--------------------------------------------------------------------------------