Commit 983c723e authored by azul's avatar azul

feature: prevent creation of spam posts

We have seen a lot of spam comments on public pages recently.
They insert links - probably to increase search engine ranking of the linked sites.

In order to prevent this we disallow comments with links on public pages
for users who have no other access to the page than it being public.
parent ae38c043
......@@ -21,13 +21,12 @@ class Page::PostsController < ApplicationController
def create
authorize @page, :show?
if @post = @page.add_post(current_user, post_params)
respond_to do |format|
format.js { @posts = @page.posts(pagination_params) }
format.html { redirect_to page_url(@page) + "#post-#{@post.id}" }
end
authorize @post
@post = @page.add_post(current_user, post_params)
respond_to do |format|
format.html { redirect_to page_url(@page) + "#post-#{@post.id}" }
format.js { @posts = @page.posts(pagination_params) }
end
authorize @post
end
protected
......
......@@ -68,6 +68,7 @@ class Post < ActiveRecord::Base
format_attribute :body
validates_presence_of :user, :body
validate :in_reply_to_matches_recipient
validate :no_spam
alias created_by user
......@@ -223,4 +224,11 @@ class Post < ActiveRecord::Base
"Ugh. The user and the post you are replying to don't match."
end
end
def no_spam
page = discussion.try.page
return unless page.try.public? && with_link?
return if user.may?(:view, page)
errors.add :body, I18n.t(:spam_comment_detected)
end
end
......@@ -5,7 +5,7 @@
%td.post_author
= render 'ui/author', author: current_user
%td.post_body
= form_for @post, url: posts_path, remote: true, authenticity_token: true,
= form_for Post.new, url: posts_path, remote: true, authenticity_token: true,
html: {onsubmit: show_spinner('post')} do |f|
= f.text_area :body, rows: 8, class: 'form-control'
.buttons-right
......
......@@ -46,6 +46,9 @@ en:
select_files: "Select files"
send_button: Send
show_thing: "Show %{thing}"
spam_comment_detected: |
looks like spam we have been seeing lately.
It will probably work if you remove the links.
thing_destroyed: "%{thing} destroyed"
thing_required: "%{thing} Required"
updated: Updated
......
......@@ -15,4 +15,27 @@ class PostTest < ActiveSupport::TestCase
end
def test_prevent_creation_of_spam
page = pages(:public_wiki)
user = users(:penguin)
assert_raises ActiveRecord::RecordInvalid do
post = page.add_post(user, body: posts(:auto_link).body)
end
end
def test_visitor_comment_without_link
page = pages(:public_wiki)
user = users(:penguin)
post = page.add_post(user, body: posts(:no_link).body)
assert_empty post.errors
assert_predicate post, :persisted?
end
def test_allow_authorized_comment_with_link
page = pages(:public_wiki)
user = users(:gerrard)
post = page.add_post(user, body: posts(:auto_link).body)
assert_empty post.errors
assert_predicate post, :persisted?
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment