From 1003e73bf11fa9935b978af2079d7c57e16e0531 Mon Sep 17 00:00:00 2001
From: Chad Birch <chad.birch@gmail.com>
Date: Wed, 19 Feb 2014 16:34:03 -0700
Subject: [PATCH] Password reset: ratelimit by IP

---
 r2/r2/controllers/api.py      | 8 +++++++-
 r2/r2/templates/password.html | 1 +
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py
index 6e6d54cf6..a6c6fd4c2 100755
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -2723,13 +2723,19 @@ class ApiController(RedditController):
                                errors.NO_TEXT):
             form.redirect("/gold/thanks?v=%s" % status)
 
-    @validatedForm(user = VUserWithEmail('name'))
+    @validatedForm(
+        VRatelimit(rate_ip=True, prefix="rate_password_"),
+        user=VUserWithEmail('name'),
+    )
     def POST_password(self, form, jquery, user):
         if form.has_errors('name', errors.USER_DOESNT_EXIST):
             return
         elif form.has_errors('name', errors.NO_EMAIL_FOR_USER):
             return
+        elif form.has_errors('ratelimit', errors.RATELIMIT):
+            return
         else:
+            VRatelimit.ratelimit(rate_ip=True, prefix="rate_password_")
             if emailer.password_email(user):
                 form.set_html(".status",
                       _("an email will be sent to that account's address shortly"))
diff --git a/r2/r2/templates/password.html b/r2/r2/templates/password.html
index 4f10c35e7..1290a8580 100644
--- a/r2/r2/templates/password.html
+++ b/r2/r2/templates/password.html
@@ -39,6 +39,7 @@
     <input type="text" name="name" />
     ${error_field("USER_DOESNT_EXIST", "name")}
     ${error_field("NO_EMAIL_FOR_USER", "name")}
+    ${error_field("RATELIMIT", "ratelimit")}
   </%utils:round_field>
 </div>