mirror of
https://github.com/discourse/discourse.git
synced 2024-12-16 20:13:43 +08:00
SECURITY: rate limit change email requests
This commit is contained in:
parent
570e3b3e79
commit
6fe364e7ae
|
@ -34,8 +34,13 @@ export default ObjectController.extend({
|
||||||
this.set('saving', true);
|
this.set('saving', true);
|
||||||
return this.get('content').changeEmail(this.get('newEmail')).then(function() {
|
return this.get('content').changeEmail(this.get('newEmail')).then(function() {
|
||||||
self.set('success', true);
|
self.set('success', true);
|
||||||
}, function() {
|
}, function(data) {
|
||||||
self.setProperties({ error: true, saving: false });
|
self.setProperties({ error: true, saving: false });
|
||||||
|
if (data.responseJSON && data.responseJSON.errors && data.responseJSON.errors[0]) {
|
||||||
|
self.set('errorMessage', data.responseJSON.errors[0]);
|
||||||
|
} else {
|
||||||
|
self.set('errorMessage', I18n.t('user.change_email.error'));
|
||||||
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
{{#if error}}
|
{{#if error}}
|
||||||
<div class="control-group">
|
<div class="control-group">
|
||||||
<div class="instructions">
|
<div class="instructions">
|
||||||
<div class='alert alert-error'>{{i18n user.change_email.error}}</div>
|
<div class='alert alert-error'>{{errorMessage}}</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
{{/if}}
|
{{/if}}
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
require_dependency 'discourse_hub'
|
require_dependency 'discourse_hub'
|
||||||
require_dependency 'user_name_suggester'
|
require_dependency 'user_name_suggester'
|
||||||
require_dependency 'avatar_upload_service'
|
require_dependency 'avatar_upload_service'
|
||||||
|
require_dependency 'rate_limiter'
|
||||||
|
|
||||||
class UsersController < ApplicationController
|
class UsersController < ApplicationController
|
||||||
|
|
||||||
|
@ -261,6 +262,9 @@ class UsersController < ApplicationController
|
||||||
guardian.ensure_can_edit_email!(user)
|
guardian.ensure_can_edit_email!(user)
|
||||||
lower_email = Email.downcase(params[:email]).strip
|
lower_email = Email.downcase(params[:email]).strip
|
||||||
|
|
||||||
|
RateLimiter.new(user, "change-email-hr-#{request.remote_ip}", 6, 1.hour).performed!
|
||||||
|
RateLimiter.new(user, "change-email-min-#{request.remote_ip}", 3, 1.minute).performed!
|
||||||
|
|
||||||
# Raise an error if the email is already in use
|
# Raise an error if the email is already in use
|
||||||
if User.find_by_email(lower_email)
|
if User.find_by_email(lower_email)
|
||||||
raise Discourse::InvalidParameters.new(:email)
|
raise Discourse::InvalidParameters.new(:email)
|
||||||
|
@ -276,6 +280,8 @@ class UsersController < ApplicationController
|
||||||
)
|
)
|
||||||
|
|
||||||
render nothing: true
|
render nothing: true
|
||||||
|
rescue RateLimiter::LimitExceeded
|
||||||
|
render_json_error(I18n.t("rate_limiter.slow_down"))
|
||||||
end
|
end
|
||||||
|
|
||||||
def authorize_email
|
def authorize_email
|
||||||
|
|
Loading…
Reference in New Issue
Block a user