Disable contact form for logged-out users due to spam

2023-02-21 11:45:26 -08:00 · 2023-02-21 11:45:26 -08:00 · a1d80fc2b0
commit a1d80fc2b0
parent 296b5a30b8
2 changed files with 33 additions and 0 deletions
--- a/pkg/controller/index/contact.go
+++ b/pkg/controller/index/contact.go
@ -88,6 +88,14 @@ func Contact() http.HandlerFunc {
 				replyTo = currentUser.Email
 			}

+			// We were getting too much spam logged-out: prevent logged-out bots from still posting.
+			if currentUser == nil {
+				log.Error("Blocked POST /contact because user is logged-out")
+				session.FlashError(w, r, "Our contact form is only for logged-in users, sorry!")
+				templates.Redirect(w, "/contact")
+				return
+			}
+
 			// Rate limit submissions, especially for logged-out users.
 			if currentUser == nil {
 				limiter := &ratelimit.Limiter{
--- a/web/templates/contact.html
+++ b/web/templates/contact.html
@ -24,6 +24,29 @@
                    </header>
                    <div class="card-content">

+                        <!-- No form anymore for logged-out users: too much unsolicited spam. -->
+                        {{if not .LoggedIn}}
+                            <p class="block">
+                                The open "contact us" form is now disabled for logged-out users -
+                                we were getting way too much unsolicited spam from drive-by robots
+                                that abuse any such open contact form they can find.
+                            </p>
+
+                            <p class="block">
+                                If you have a {{PrettyTitle}} account, please <a href="/login">log in</a>
+                                to it and then you can send a nice message to the website administrators
+                                here on this page -- to give us feedback, ideas, criticism, or to report
+                                a problem with the website or one of its members.
+                            </p>
+
+                            <p class="block">
+                                For all outside inquiries, you can contact the website administrators
+                                via e-mail. For general questions, send to <strong>support</strong> "at"
+                                <strong>nonshy.com</strong> and for more serious stuff we also have a
+                                standard <strong>abuse@</strong> inbox on this domain.
+                            </p>
+                        {{else}}
+
                        <form action="/contact" method="POST">
                            {{InputCSRF}}
                            <input type="hidden" name="intent" value="{{.Intent}}">
@ -116,6 +139,8 @@
                            </div>
                        </form>

+                        {{end}}<!-- /if logged in -->
+
                    </div>
                </div>