mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-19 12:00:55 +01:00
No description
847b7977c1
Summary: This adds a system which basically keeps a record of recent actions, who took them, and how many "points" they were worth, like: epriestley email.add 1 1233989813 epriestley email.add 1 1234298239 epriestley email.add 1 1238293981 We can use this to rate-limit actions by examining how many actions the user has taken in the past hour (i.e., their total score) and comparing that to an allowed limit. One major thing I want to use this for is to limit the amount of error email we'll send to an email address. A big concern I have with sending more error email is that we'll end up in loops. We have some protections against this in headers already, but hard-limiting the system so it won't send more than a few errors to a particular address per hour should provide a reasonable secondary layer of protection. This use case (where the "actor" needs to be an email address) is why the table uses strings + hashes instead of PHIDs. For external users, it might be appropriate to rate limit by cookies or IPs, too. To prove it works, I rate limited adding email addresses. This is a very, very low-risk security thing where a user with an account can enumerate addresses (by checking if they get an error) and sort of spam/annoy people (by adding their address over and over again). Limiting them to 6 actions / hour should satisfy all real users while preventing these behaviors. Test Plan: This dialog is uggos but I'll fix that in a sec: {F137406} Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D8683 |
||
---|---|---|
bin | ||
conf | ||
externals | ||
resources | ||
scripts | ||
src | ||
support | ||
webroot | ||
.arcconfig | ||
.editorconfig | ||
.gitignore | ||
LICENSE | ||
NOTICE | ||
README |
Phabricator is an open source collection of web applications which help software companies build better software. Phabricator includes applications for: - reviewing and auditing source code; - hosting and browsing repositories; - assembling a party to venture forth; - tracking bugs; - hiding stuff from coworkers; and - also some other things. You can learn more about the project (and find links to documentation and resources) here: http://phabricator.org/ Phabricator is developed and maintained by Phacility. The first version of Phabricator was originally built at Facebook. LICENSE Phabricator is released under the Apache 2.0 license except as otherwise noted.