Discourse/discourse
Discourse/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-09-07 12:02:53 +08:00
Code Packages Activity Actions 5

SECURITY: rate limit change email requests

Browse source
This commit is contained in:
Neil Lalonde 2014-09-18 10:48:56 -04:00
parent 33c6a2d341
commit c4e285f3ec
3 changed files with 13 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
app/controllers/users_controller.rb
View file

@ -1,6 +1,7 @@
require_dependency 'discourse_hub'
require_dependency 'user_name_suggester'
require_dependency 'avatar_upload_service'
require_dependency 'rate_limiter'
class UsersController < ApplicationController
@ -261,6 +262,9 @@ class UsersController < ApplicationController
guardian.ensure_can_edit_email!(user)
lower_email = Email.downcase(params[:email]).strip
RateLimiter.new(user, "change-email-hr-#{request.remote_ip}", 6, 1.hour).performed!
RateLimiter.new(user, "change-email-min-#{request.remote_ip}", 3, 1.minute).performed!
# Raise an error if the email is already in use
if User.find_by_email(lower_email)
raise Discourse::InvalidParameters.new(:email)
@ -276,6 +280,8 @@ class UsersController < ApplicationController
)
render nothing: true
rescue RateLimiter::LimitExceeded
render_json_error(I18n.t("rate_limiter.slow_down"))
end
def authorize_email