Fixed #5 -- Added a spam protection feature to password resets

2026-05-04 15:04:03 +00:00 · 2016-02-22 22:10:25 +01:00
parent e29f19e96b
commit d5feeb77d1
1 changed files with 11 additions and 0 deletions
--- a/src/pretix/control/views/auth.py
+++ b/src/pretix/control/views/auth.py
@@ -82,6 +82,17 @@ class Forgot(TemplateView):
    def post(self, request, *args, **kwargs):
        if self.form.is_valid():
            user = self.form.cleaned_data['user']
+
+            if settings.HAS_REDIS:
+                from django_redis import get_redis_connection
+                rc = get_redis_connection("redis")
+                if rc.exists('pretix_pwreset_%s' % (user.id)):
+                    user.log_action('pretix.control.auth.user.forgot_password.denied.repeated')
+                    messages.error(request, _('We already sent you an email in the last 24 hours.'))
+                    return redirect('control:auth.forgot')
+                else:
+                    rc.setex('pretix_pwreset_%s' % (user.id), 3600 * 24, '1')
+
            mail(
                user.email, _('Password recovery'), 'pretixcontrol/email/forgot.txt',
                {