Disable contact form for logged-out users due to spam

2023-02-21 11:45:26 -08:00 · 2023-02-21 11:45:26 -08:00 · a1d80fc2b0
commit a1d80fc2b0
parent 296b5a30b8
2 changed files with 33 additions and 0 deletions
--- a/pkg/controller/index/contact.go
+++ b/pkg/controller/index/contact.go
@ -88,6 +88,14 @@ func Contact() http.HandlerFunc {
 				replyTo = currentUser.Email
 			}
 			// We were getting too much spam logged-out: prevent logged-out bots from still posting.
 			if currentUser == nil {
 				log.Error("Blocked POST /contact because user is logged-out")
 				session.FlashError(w, r, "Our contact form is only for logged-in users, sorry!")
 				templates.Redirect(w, "/contact")
 				return
 			}
 			// Rate limit submissions, especially for logged-out users.
 			if currentUser == nil {
 				limiter := &ratelimit.Limiter{
--- a/web/templates/contact.html
+++ b/web/templates/contact.html
@ -24,6 +24,29 @@
                    </header>
                    <div class="card-content">
                        <!-- No form anymore for logged-out users: too much unsolicited spam. -->
                        {{if not .LoggedIn}}
                            <p class="block">
                                The open "contact us" form is now disabled for logged-out users -
                                we were getting way too much unsolicited spam from drive-by robots
                                that abuse any such open contact form they can find.
                            </p>
                            <p class="block">
                                If you have a {{PrettyTitle}} account, please <a href="/login">log in</a>
                                to it and then you can send a nice message to the website administrators
                                here on this page -- to give us feedback, ideas, criticism, or to report
                                a problem with the website or one of its members.
                            </p>
                            <p class="block">
                                For all outside inquiries, you can contact the website administrators
                                via e-mail. For general questions, send to <strong>support</strong> "at"
                                <strong>nonshy.com</strong> and for more serious stuff we also have a
                                standard <strong>abuse@</strong> inbox on this domain.
                            </p>
                        {{else}}
                        <form action="/contact" method="POST">
                            {{InputCSRF}}
                            <input type="hidden" name="intent" value="{{.Intent}}">
@ -116,6 +139,8 @@
                            </div>
                        </form>
                        {{end}}<!-- /if logged in -->
                    </div>
                </div>