mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)
Mark Smith ([staff profile] mark) wrote in [site community profile] changelog2009-05-03 05:24 pm

[dw-free] Add rate limiting to community creation to prevent namesquatting.

[commit: http://hg.dwscoalition.org/dw-free/rev/40002de12c46]

Add rate limiting to community creation to prevent namesquatting.

Patch by [staff profile] mark.

Files modified:
  • bin/upgrading/base-data.sql
  • etc/config.pl
  • htdocs/community/create.bml
  • htdocs/community/create.bml.text
--------------------------------------------------------------------------------
diff -r 61f0008d314b -r 40002de12c46 bin/upgrading/base-data.sql
--- a/bin/upgrading/base-data.sql	Sun May 03 04:00:56 2009 +0000
+++ b/bin/upgrading/base-data.sql	Sun May 03 17:24:19 2009 +0000
@@ -570,6 +570,8 @@ UPDATE priv_list SET des='Allows a user 
 UPDATE priv_list SET des='Allows a user to edit site text in a given language. arg=Unique language code, optionally appended by |domainid.domaincode',is_public='1',privname='Translate/Update Text',scope='general' WHERE privcode='translate';
 INSERT IGNORE INTO ratelist (des, name) VALUES ('Logged when a user adds someone to their Friends list', 'addfriend');
 UPDATE ratelist SET des='Logged when a user adds someone to their Friends list' WHERE name='addfriend';
+INSERT IGNORE INTO ratelist (des, name) VALUES ('Logged when a user creates a community.', 'commcreate');
+UPDATE ratelist SET des='Logged when a user creates a community.' WHERE name='commcreate';
 INSERT IGNORE INTO ratelist (des, name) VALUES ('Logged when wrong username/password is used.', 'failed_login');
 UPDATE ratelist SET des='Logged when wrong username/password is used.' WHERE name='failed_login';
 INSERT IGNORE INTO ratelist (des, name) VALUES ('Logged when a user sends a free VGift', 'freevgifts');
diff -r 61f0008d314b -r 40002de12c46 etc/config.pl
--- a/etc/config.pl	Sun May 03 04:00:56 2009 +0000
+++ b/etc/config.pl	Sun May 03 17:24:19 2009 +0000
@@ -332,6 +332,8 @@
             'rateallowed-lostinfo' => 3,
             'rateperiod-failed_login' => 60*5, # 5 minutes
             'rateallowed-failed_login' => 3,
+            'rateperiod-commcreate' => 86400*7, # 7 days / 1 week
+            'rateallowed-commcreate' => 3,
             'staff_headicon' => 0,
             thread_expander => 0,
             'xpost_accounts' => 0,
diff -r 61f0008d314b -r 40002de12c46 htdocs/community/create.bml
--- a/htdocs/community/create.bml	Sun May 03 04:00:56 2009 +0000
+++ b/htdocs/community/create.bml	Sun May 03 17:24:19 2009 +0000
@@ -44,6 +44,10 @@ SUBMIT:
         return "<b>$ML{'Error'}</b>: $ML{'.error.postrequired'}" unless LJ::did_post();
         # Note: If a captcha check is added, then form auth would be redundant
         return "<b>$ML{'Error'}</b>: $ML{'error.invalidform'}" unless LJ::check_form_auth();
+
+        # rate limit
+        return "<b>$ML{'Error'}</b>: $ML{'.error.ratelimited'}"
+            unless $remote->rate_log( 'commcreate', 1 );
 
         my $user = LJ::canonical_username($POST{user});
         my $title = $POST{title} || $user;
diff -r 61f0008d314b -r 40002de12c46 htdocs/community/create.bml.text
--- a/htdocs/community/create.bml.text	Sun May 03 04:00:56 2009 +0000
+++ b/htdocs/community/create.bml.text	Sun May 03 17:24:19 2009 +0000
@@ -12,6 +12,8 @@
 .error.notvalidated2=You must <a [[aopts]]>validate your email address</a> in order to create a community.
 
 .error.postrequired=POST required.
+
+.error.ratelimited=You have exceeded the maximum number of communities you can create in a week.  Please try again later.
 
 .error.username.inuse=Account name already in use; please select a different one.
 
--------------------------------------------------------------------------------

Post a comment in response:

This account has disabled anonymous posting.
If you don't have an account you can create one now.
HTML doesn't work in the subject.
More info about formatting

If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org