Password reset: ratelimit by IP

2026-04-27 03:00:12 -04:00 · 2014-02-19 16:34:03 -07:00
parent 60c18aec8a
commit 1003e73bf1
2 changed files with 8 additions and 1 deletions
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -2723,13 +2723,19 @@ class ApiController(RedditController):
                               errors.NO_TEXT):
            form.redirect("/gold/thanks?v=%s" % status)

-    @validatedForm(user = VUserWithEmail('name'))
+    @validatedForm(
+        VRatelimit(rate_ip=True, prefix="rate_password_"),
+        user=VUserWithEmail('name'),
+    )
    def POST_password(self, form, jquery, user):
        if form.has_errors('name', errors.USER_DOESNT_EXIST):
            return
        elif form.has_errors('name', errors.NO_EMAIL_FOR_USER):
            return
+        elif form.has_errors('ratelimit', errors.RATELIMIT):
+            return
        else:
+            VRatelimit.ratelimit(rate_ip=True, prefix="rate_password_")
            if emailer.password_email(user):
                form.set_html(".status",
                      _("an email will be sent to that account's address shortly"))
--- a/r2/r2/templates/password.html
+++ b/r2/r2/templates/password.html
@@ -39,6 +39,7 @@
    <input type="text" name="name" />
    ${error_field("USER_DOESNT_EXIST", "name")}
    ${error_field("NO_EMAIL_FOR_USER", "name")}
+    ${error_field("RATELIMIT", "ratelimit")}
  </%utils:round_field>
 </div>