Skip to content

discussions: add rate limiting for creating threads, comments, and @mention notifications

Warren Gifford requested to merge sg/discussions-v0.7 into master

Created by: slimsag

This PR adds rate limiting to discussions which makes it harder to spam creation of threads, comments, and @mention notifications at other users.

  • The rate limiting approach for thread creation is such that you can create many 'small review' comments in a single file very quickly, but are penalized for creating a similar amount of threads across many independent files.
  • The rate limiting approach for comment creation is such that you can have realtime slack/IRC-like conversations in a single discussion thread, but are penalized for posting a similar amount of comments across many independent threads.
  • The rate limiting approach for @mentions is purely to prevent someone from @mentioning hundreds of users in a short timeframe.

For exact limits I have chosen, see ratelimit.go lines 88-151.

This rate limiting only applies when discussions.abuseProtection == true in the site config, i.e. only for public instances like Sourcegraph.com and not enabled for regular user instances by default, as with other abuse protection measures in code discussions.

Fixes sourcegraph/enterprise#13453

Note: This PR will be merged immediately after submission to prevent anyone who reads this PR description from causing harm. Any review will be followed up post-merge.

This PR updates the CHANGELOG.md file to describe any user-facing changes.

Merge request reports

Loading