1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-28 09:42:41 +01:00
phorge-phorge/src/applications
epriestley 847b7977c1 Add semi-generic rate limiting infrastructure
Summary:
This adds a system which basically keeps a record of recent actions, who took them, and how many "points" they were worth, like:

  epriestley email.add 1 1233989813
  epriestley email.add 1 1234298239
  epriestley email.add 1 1238293981

We can use this to rate-limit actions by examining how many actions the user has taken in the past hour (i.e., their total score) and comparing that to an allowed limit.

One major thing I want to use this for is to limit the amount of error email we'll send to an email address. A big concern I have with sending more error email is that we'll end up in loops. We have some protections against this in headers already, but hard-limiting the system so it won't send more than a few errors to a particular address per hour should provide a reasonable secondary layer of protection.

This use case (where the "actor" needs to be an email address) is why the table uses strings + hashes instead of PHIDs. For external users, it might be appropriate to rate limit by cookies or IPs, too.

To prove it works, I rate limited adding email addresses. This is a very, very low-risk security thing where a user with an account can enumerate addresses (by checking if they get an error) and sort of spam/annoy people (by adding their address over and over again). Limiting them to 6 actions / hour should satisfy all real users while preventing these behaviors.

Test Plan:
This dialog is uggos but I'll fix that in a sec:

{F137406}

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D8683
2014-04-03 11:22:38 -07:00
..
arcanist/conduit Move Conduit methods inside applications 2012-12-21 12:21:59 -08:00
audit Send mail to audit comment author too 2014-03-31 07:52:51 -07:00
auth Update Google auth documentation to discuss "Google+ API" and new console URI 2014-03-25 13:36:47 -07:00
base Make dialogs a little easier to use 2014-03-21 14:40:05 -07:00
cache Minor, mark SERIALIZATION_PHP fields as BINARY in Lisk 2014-02-23 16:35:51 -08:00
calendar Issue a proper 404 when trying to edit nonexistent events 2014-03-21 19:11:48 -07:00
chatlog Various linter fixes. 2014-02-26 12:44:58 -08:00
conduit Modernize documentation links 2014-03-17 15:01:31 -07:00
config Make Maniphest task statuses user configurable 2014-03-25 14:05:36 -07:00
conpherence Fix three minor edge case behaviors in Conpherence 2014-03-10 16:21:28 -07:00
countdown [Countdown] fix undefined variable errors 2014-02-05 05:33:31 -08:00
daemon Do not perform write in PhabricatorDaemonLogQuery by default 2014-01-21 14:04:12 -08:00
dashboard Add edit/view plumbing for dashboards and panels 2014-02-03 10:52:15 -08:00
differential Break long words in differential two-up view 2014-04-03 09:40:00 -07:00
diffusion Break long words in differential two-up view 2014-04-03 09:40:00 -07:00
diviner Fix help menu links for folks with diviner uninstalled 2014-03-28 13:41:19 -07:00
doorkeeper Make "JIRA Issues" field work better with noncredentialed accounts 2014-04-02 12:03:59 -07:00
draft/storage Differential - add DifferentialDraft to track whether revisions have draft feedback or not 2014-02-18 16:25:16 -08:00
drydock Set name parameter when saving file via Drydock 2014-04-03 09:21:36 -07:00
fact Extend all "ManagementWorkflow" classes from a base class 2013-12-27 13:15:40 -08:00
feed Include objectPHID in feed.query text view 2014-03-13 17:56:25 -07:00
files Modernize documentation links 2014-03-17 15:01:31 -07:00
flag Make attention count yellow 2014-03-29 10:26:53 -07:00
harbormaster Prevent buildable list in Harbormaster from breaking when container or buildables are missing 2014-03-25 17:35:49 -07:00
help Fix help menu links for folks with diviner uninstalled 2014-03-28 13:41:19 -07:00
herald Herald - print out rule monogram rather than rule phid on transcript controller 2014-04-02 11:59:50 -07:00
home Fix Maniphest links w.r.t. new "status" data format 2014-03-28 12:59:09 -07:00
legalpad Update Remarkup Note Styles 2014-03-21 21:42:39 -07:00
lipsum Use DifferentialRevisionEditor in lipsum 2014-03-11 13:02:00 -07:00
macro Use "\z" instead of "$" to anchor validating regular expressions 2014-03-13 12:42:41 -07:00
mailinglists Extract textual object list parsing from Differential 2014-03-07 17:44:44 -08:00
maniphest Fix maniphest "create" transactions 2014-04-01 14:26:03 -07:00
meta Various linter fixes. 2014-02-26 12:44:58 -08:00
metamta Fix Mailgun Reply-To handling 2014-03-29 10:53:52 -07:00
notification Add a "Send Test Notification" button to make testing the server easier 2014-02-17 16:00:33 -08:00
nuance Various linter fixes. 2014-02-26 12:44:58 -08:00
oauthserver Use modern UI for OAuthServer details page 2014-03-18 15:39:45 -07:00
owners Modernize documentation links 2014-03-17 15:01:31 -07:00
passphrase Implement a "credential" standard custom field 2014-03-25 16:13:27 -07:00
paste Maniphest Tasks + Project Boards - some polish 2014-03-04 17:01:33 -08:00
people Fix many lies in the "User Roles" document 2014-04-02 12:06:56 -07:00
phame Modernize documentation links 2014-03-17 15:01:31 -07:00
phid Modernize OAuthServer PHIDs and Queries 2014-03-18 13:27:55 -07:00
phlux Use "\z" instead of "$" to anchor validating regular expressions 2014-03-13 12:42:41 -07:00
pholio Modernize documentation links 2014-03-17 15:01:31 -07:00
phortune Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
phpast Remove phpast.* Conduit methods 2014-03-12 11:30:22 -07:00
phragment Various linter fixes. 2014-02-26 12:44:58 -08:00
phrequent Various linter fixes. 2014-02-26 12:44:58 -08:00
phriction Update Phriction History UI 2014-03-30 11:18:49 -07:00
policy Added some additional assertion methods. 2014-03-08 19:16:21 -08:00
ponder Maniphest Tasks + Project Boards - some polish 2014-03-04 17:01:33 -08:00
project Fix Maniphest links w.r.t. new "status" data format 2014-03-28 12:59:09 -07:00
releeph Rename project -> product on edit/create UIs 2014-03-29 09:16:40 -07:00
remarkup/conduit Support processing Remarkup in bulk with remarkup.processbulk Conduit method 2013-11-02 16:30:11 -07:00
repository Differential - modernize "Local Commits" table 2014-04-02 13:18:11 -07:00
search Provide viewer to CustomFields in ApplicationSearch 2014-03-25 14:02:18 -07:00
settings Add semi-generic rate limiting infrastructure 2014-04-03 11:22:38 -07:00
slowvote Modernize documentation links 2014-03-17 15:01:31 -07:00
subscriptions Show profile pictures in subscribers dialog 2014-03-19 19:29:48 -07:00
support/application Whitelist allowed editor protocols 2014-03-17 13:00:37 -07:00
system Add semi-generic rate limiting infrastructure 2014-04-03 11:22:38 -07:00
tokens Wrap the feed text rendering stuff with htmlspecialchars_decode 2014-02-03 17:05:30 -08:00
transactions Restore "Branch" and "changes since last update" fields to Differential mail 2014-04-01 08:23:34 -07:00
typeahead Fix many lies in the "User Roles" document 2014-04-02 12:06:56 -07:00
uiexample Major timeline redesign 2014-03-27 14:24:31 -07:00
xhprof Use JSON, not PHP serialization, for XHProf profiles. 2014-02-24 04:16:52 -08:00