crystal-community/crystal-ann

Max announcements per hour

Closed this issue · 0 comments

veelenga commented

I'm afraid we are open for some spamming. Attacker can easily create lots of dummy announcements and spam twitter/rss and our list of announcements on the web.

The idea is to set a max limit of created announcements per hour which can a specific user do.

TODOs:

  • Create a before_action for AnnouncementController#create which will:

    • Find a number of announcements created by current_user within last hour
    • If that number exceeds ENV["MAX_ANNS_PER_HOUR"], just redirect to / for now.
    • Otherwise, user is able to proceed.
    • Add tests

  • Ignore this feature if ENV["MAX_ANNS_PER_HOUR"] is not set or is 0.

  • Add MAX_ANNS_PER_HOUR to the list of used env variables in Readme.