Attempts to reduce spam registrations

* Don't display website until user has signed in 10 times * Don't display unverified users in index * Honeypot field
ElixirTeSS · Oct 11, 2024 · 3aae10d · 3aae10d
1 parent e15ee62
commit 3aae10d
Show file tree

Hide file tree

Showing 7 changed files with 58 additions and 13 deletions.
diff --git a/app/controllers/tess_devise/registrations_controller.rb b/app/controllers/tess_devise/registrations_controller.rb
@@ -25,7 +25,8 @@ def update_resource(resource, params)
 
   # Pinched from https://github.com/plataformatec/devise/wiki/How-To:-Use-Recaptcha-with-Devise
   def check_captcha
-    if !Rails.application.secrets.recaptcha[:sitekey].blank? && !verify_recaptcha
+    if (Rails.application.secrets.recaptcha[:sitekey].present? && !verify_recaptcha) ||
+      params.dig('user', 'website').present?
       self.resource = resource_class.new sign_up_params
       respond_with_navigational(resource) { render :new }
     end

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -11,7 +11,11 @@ class UsersController < ApplicationController
   # GET /users.json
   def index
     @users = User.visible
-    @users = @users.with_query(params[:q].chomp('*')) if params[:q].present?
+    if params[:q].present?
+      @users = @users.with_query(params[:q].chomp('*'))
+    elsif !(current_user&.is_admin? || current_user&.is_curator?)
+      @users = @users.verified
+    end
     @users = @users.paginate(page: params[:page], per_page: 50)
 
     respond_to do |format|
@@ -23,7 +27,7 @@ def index
 
   # GET/invitees
   def invitees
-    if current_user.is_admin? or current_user.is_curator?
+    if current_user&.is_admin? || current_user&.is_curator?
       @users = User.invited
       respond_to do |format|
         format.html

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -374,6 +374,10 @@ def purge
     end
   end
 
+  def show_website?
+    sign_in_count > 10
+  end
+
   protected
 
   def reassign_resources(new_owner = User.get_default_user)

diff --git a/app/views/devise/registrations/new.html.erb b/app/views/devise/registrations/new.html.erb
@@ -29,10 +29,17 @@
 
         <%= f.input :email, required: true %>
 
+        <div style="opacity: 0; height: 0; overflow: hidden">
+          <div class="form-group website required user_website">
+            <label class="control-label website" for="user_website"><abbr title="required">*</abbr> Website</label>
+            <input class="form-control string website required" type="text" value="" name="user[website]" id="user_website">
+          </div>
+        </div>
+
         <%= f.input :publicize_email, as: :boolean, label: 'Make my email publicly visible' %>
 
         <%= f.input :password, required: true, input_html: { autocomplete: 'off' },
-                    hint: "(#{@minimum_password_length} characters minimum)" if @minimum_password_length %>
+                    hint: @minimum_password_length ? "(#{@minimum_password_length} characters minimum)" : nil %>
 
         <%= f.input :password_confirmation, required: true, input_html: { autocomplete: 'off' } %>
 

diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb
@@ -36,14 +36,16 @@
         <% end %>
       </p>
 
-      <p>
-        <strong><%= model_class.human_attribute_name(:website) %></strong><br/>
-        <% if @user.profile.website.blank? %>
-          <span class="empty">None specified</span>
-        <% else %>
-          <%= link_to @user.profile.website, @user.profile.website, rel: 'nofollow', target: '_blank' %>
-        <% end %>
-      </p>
+      <% if @user.show_website? || (current_user&.is_admin? || current_user&.is_curator?) %>
+        <p>
+          <strong><%= model_class.human_attribute_name(:website) %></strong><br/>
+          <% if @user.profile.website.blank? %>
+            <span class="empty">None specified</span>
+          <% else %>
+            <%= link_to @user.profile.website, @user.profile.website, rel: 'nofollow', target: '_blank' %>
+          <% end %>
+        </p>
+      <% end %>
 
       <p>
         <strong>ORCID</strong><br/>

diff --git a/test/controllers/tess_devise/registrations_controller_test.rb b/test/controllers/tess_devise/registrations_controller_test.rb
@@ -68,6 +68,21 @@ class RegistrationsControllerTest < ActionController::TestCase
        assert assigns(:user).errors[:base].first.include?('processing')
     end
 
+    test 'should not register user if website given' do
+      assert_no_difference('User.count') do
+        post :create, params: {
+          user: {
+            username: 'mileyfan1997',
+            email: '[email protected]',
+            password: '12345678',
+            password_confirmation: '12345678',
+            processing_consent: '1',
+            website: 'https://myhomepage.com'
+          }
+        }
+      end
+    end
+
     test 'should redirect to user page after changing password' do
       user = users(:regular_user)
       sign_in user

diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
@@ -370,7 +370,19 @@ class UsersControllerTest < ActionController::TestCase
     refute assigns(:users).include?(users(:another_regular_user))
   end
 
-  test 'should not show banned or basic users in index' do
+  test 'should not show banned or basic users in index if not admin' do
+    get :index
+    assert_response :success
+    all_users = assigns(:users).to_a
+    assert users(:shadowbanned_user).banned?
+    assert_not_includes all_users, users(:shadowbanned_user)
+    assert_not_includes all_users, users(:unverified_user)
+    assert_not_includes all_users, users(:basic_user)
+    assert_includes all_users, users(:regular_user)
+  end
+
+  test 'should show banned or basic users in index if admin' do
+    sign_in @admin
     get :index
     assert_response :success
     all_users = assigns(:users).to_a