While we can always hard-code checks for gold, putting this into the feature
flag system allows us to move things from gold-only to everyone with only a
config change.
This allows the option for non-anonymous gildings or to write a message.
Whether the user purchased anonymously or non-anonymously for gildings will
be remembered and applied to future gildings (initializes to False so it's
still anonymous until the user decides to change it).
If specific user accounts were allowed to use a feature, logged-out
users would cause the feature flag check to fail because
UnloggedUser.name exists but raises NotImplementedError. This makes the
feature-world return None for user if no user is logged in.
We got a message from Google Webmaster Tools letting us know they'd like to
pretend to be a mobile device and crawl our mobile pages, but can't, because we
disallow it in our `robots.txt` rules. We have canonicalization set up to
point towards desktop pages, so we shouldn't be hurt by allowing this.
We should also at some point provide two-way annotations to let them go from
desktop -> mobile[0], but for now this should suffice.
[0]: https://developers.google.com/webmasters/mobile-sites/mobile-seo/configurations/separate-urls
This is a tiny little touch-up of the flair selector box that just adds a
little more space between things, because I was annoyed at looking at it. As
far as my choices for things:
* The `.flairselector h2` change was to make it consistent with the other
dividing lines in the box.
* The button margin was chosen to be consistent with the "add" button on
/about/moderators.
I decided not to mess with the wonky vertical alignment on the flair because
that gets changed by subreddits' customizations to flair display, so it's
probably not worth it to try and make it look better.
The goal of a login ratelimit system is to prevent brute force attacks
on passwords.
The current login ratelimit system is based on VDelay which uses
exponential backoff based on IP address after failed login attempts.
This is not ideal because of corporate proxies and LSN causing the
number of false positives to be very high resulting in users getting
the dreaded "you've been doing that too much".
This new system uses a factored out version of the core ratelimiting
system which uses fixed ratelimits per period (allowing some burstiness)
and is per-account. To help mitigate the effects of a denial of service
attack on a specific user, different ratelimit buckets are used
depending on whether or not the user has used the IP the login request
is coming from before.
As an escape hatch, successfully resetting an account's password adds
the current IP to that account's recent IPs allowing it into the safer
ratelimit bucket.
The ratelimit never applies if you are currently logged in as the user,
allowing account deletion to happen regardless of ongoing brute force /
denial of service attacks.
Currently, the subreddit selector when submitting a new link "/r/subreddit/submit" says "Popular Choices" and then lists the subreddits you are subscribed to.
I find this to be a big misnomer, as they are not popular choices at all, they are just a list of your subscribed subreddits. "Popular choices" implies that these are things other people have selected as well.
I know, it's super nitpicky, but I thought it might make more sense this way.
[Reported by][0] /u/josh64.
When the message RSS feeds were created, they erroneously had an extra timezone
appended to the `dc:date` element, which causes validation errors.
In most of the feeds we rely only upon `pubDate`; it's not clear to me why we
additionally use `dc:date` in the few places we do, but I suppose it doesn't
hurt anything. The other two places using it are `subreddit.xml`, which never
had the extra timezone, and `comment.xml`, in which it was removed three years
ago (reddit/reddit@5675398). This fixes the last incorrect instance.
Note: Although the reporter says they got an error in the W3C validator and the
format is clearly wrong, in my tests the validator passed the previous,
incorrect feed. *shrug*
[0]: http://redd.it/2r1plf
