github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-12-16 09:24:25 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: rate limit change email requests

Browse Source
This commit is contained in:
Neil Lalonde 2014-09-18 10:48:56 -04:00
parent 570e3b3e79
commit 6fe364e7ae
3 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/assets/javascripts/discourse/controllers/preferences/email.js.es6
View File

@ -34,8 +34,13 @@ export default ObjectController.extend({
this.set('saving', true); this.set('saving', true);
return this.get('content').changeEmail(this.get('newEmail')).then(function() { return this.get('content').changeEmail(this.get('newEmail')).then(function() {
self.set('success', true); self.set('success', true);
}, function() { }, function(data) {
self.setProperties({ error: true, saving: false }); self.setProperties({ error: true, saving: false });
if (data.responseJSON && data.responseJSON.errors && data.responseJSON.errors[0]) {
self.set('errorMessage', data.responseJSON.errors[0]);
} else {
self.set('errorMessage', I18n.t('user.change_email.error'));
}
}); });
} }
} }

2
app/assets/javascripts/discourse/templates/user/email.js.handlebars
View File

@ -17,7 +17,7 @@
{{#if error}} {{#if error}}
<div class="control-group"> <div class="control-group">
<div class="instructions"> <div class="instructions">
<div class='alert alert-error'>{{i18n user.change_email.error}}</div> <div class='alert alert-error'>{{errorMessage}}</div>
</div> </div>
</div> </div>
{{/if}} {{/if}}

6
app/controllers/users_controller.rb
View File

@ -1,6 +1,7 @@
require_dependency 'discourse_hub' require_dependency 'discourse_hub'
require_dependency 'user_name_suggester' require_dependency 'user_name_suggester'
require_dependency 'avatar_upload_service' require_dependency 'avatar_upload_service'
require_dependency 'rate_limiter'
class UsersController < ApplicationController class UsersController < ApplicationController
@ -261,6 +262,9 @@ class UsersController < ApplicationController
guardian.ensure_can_edit_email!(user) guardian.ensure_can_edit_email!(user)
lower_email = Email.downcase(params[:email]).strip lower_email = Email.downcase(params[:email]).strip
RateLimiter.new(user, "change-email-hr-#{request.remote_ip}", 6, 1.hour).performed!
RateLimiter.new(user, "change-email-min-#{request.remote_ip}", 3, 1.minute).performed!
# Raise an error if the email is already in use # Raise an error if the email is already in use
if User.find_by_email(lower_email) if User.find_by_email(lower_email)
raise Discourse::InvalidParameters.new(:email) raise Discourse::InvalidParameters.new(:email)
@ -276,6 +280,8 @@ class UsersController < ApplicationController
) )
render nothing: true render nothing: true
rescue RateLimiter::LimitExceeded
render_json_error(I18n.t("rate_limiter.slow_down"))
end end
def authorize_email def authorize_email