From a1d80fc2b0ba448d4fe46c8236334363b7e5fbcd Mon Sep 17 00:00:00 2001 From: Noah Petherbridge Date: Tue, 21 Feb 2023 11:45:26 -0800 Subject: [PATCH] Disable contact form for logged-out users due to spam --- pkg/controller/index/contact.go | 8 ++++++++ web/templates/contact.html | 25 +++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/pkg/controller/index/contact.go b/pkg/controller/index/contact.go index 450e099..fcb4088 100644 --- a/pkg/controller/index/contact.go +++ b/pkg/controller/index/contact.go @@ -88,6 +88,14 @@ func Contact() http.HandlerFunc { replyTo = currentUser.Email } + // We were getting too much spam logged-out: prevent logged-out bots from still posting. + if currentUser == nil { + log.Error("Blocked POST /contact because user is logged-out") + session.FlashError(w, r, "Our contact form is only for logged-in users, sorry!") + templates.Redirect(w, "/contact") + return + } + // Rate limit submissions, especially for logged-out users. if currentUser == nil { limiter := &ratelimit.Limiter{ diff --git a/web/templates/contact.html b/web/templates/contact.html index fabfd75..1a71f47 100644 --- a/web/templates/contact.html +++ b/web/templates/contact.html @@ -24,6 +24,29 @@
+ + {{if not .LoggedIn}} +

+ The open "contact us" form is now disabled for logged-out users - + we were getting way too much unsolicited spam from drive-by robots + that abuse any such open contact form they can find. +

+ +

+ If you have a {{PrettyTitle}} account, please log in + to it and then you can send a nice message to the website administrators + here on this page -- to give us feedback, ideas, criticism, or to report + a problem with the website or one of its members. +

+ +

+ For all outside inquiries, you can contact the website administrators + via e-mail. For general questions, send to support "at" + nonshy.com and for more serious stuff we also have a + standard abuse@ inbox on this domain. +

+ {{else}} +
{{InputCSRF}} @@ -116,6 +139,8 @@
+ {{end}} +