Skip to content

AO3-7264 Allow different rate limits based on the current user #5543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Bilka2 wants to merge 6 commits into
base: master
Choose a base branch
from
Open

AO3-7264 Allow different rate limits based on the current user #5543

Bilka2 wants to merge 6 commits into from

Conversation

@Bilka2
Copy link
Contributor

@Bilka2 Bilka2 commented Jan 13, 2026

Issue

https://otwarchive.atlassian.net/browse/AO3-7264

Purpose

Use Rails' new rate limiting to apply commenting rate limits based on the current user.

Credit

Bilka

Bilka2
Bilka2 commented Jan 13, 2026
View reviewed changes
app/controllers/comments_controller.rb
Comment on lines +64 to +71
return false unless action_name == "create" || action_name == "update"

return false unless logged_in? # Guest comment rate limits are not handled here

parent = find_parent
return false if parent.is_a?(Tag) || !current_user.should_spam_check_comments?

!current_user.is_author_of?(parent)
Copy link
Contributor Author

@Bilka2 Bilka2 Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would be very happy about thoughts on how to format all these conditions better

zz9pzza
zz9pzza reviewed Jan 13, 2026
View reviewed changes
app/controllers/comments_controller.rb
def should_rate_limit
return false unless action_name == "create" || action_name == "update"

return false unless logged_in? # Guest comment rate limits are not handled here
Copy link
Contributor

@zz9pzza zz9pzza Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would try and be positive.

return false if logged_out?

Copy link
Contributor Author

@Bilka2 Bilka2 Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also need to return false for admins

Copy link
Contributor

@zz9pzza zz9pzza Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return false if logged_out? || logged_in_as_admin_or_whatever?

Copy link
Contributor

@lydia-theda lydia-theda Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

aren't admins blocked from commenting in most cases? "Please log out of your admin account to comment." appears for me on tags and works; most news posts are locked to guests so show that banner instead

Copy link

@KooShnoo KooShnoo Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My opinion would be:

  def should_rate_limit
    return false unless action_name == "create" || action_name == "update"
    return false unless logged_in? # Guest comment rate limits are not handled here
    return false unless current_user.should_spam_check_comments?
    parent = find_parent
    return false if parent.is_a?(Tag)
    return false if current_user.is_author_of?(parent)

    return true
  end

I think grouping the unless and if checks separately makes it read better.

Copy link
Contributor Author

@Bilka2 Bilka2 Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

aren't admins blocked from commenting in most cases?

Yes, but I am not entirely sure whether we're guaranteed to do that check before we run this code here. We should be, but I'd rather be safe than sorry

KooShnoo
KooShnoo reviewed Jan 14, 2026
View reviewed changes
app/views/errors/429.html.erb
@@ -0,0 +1,4 @@
<h2 class="heading">Error 429</h2>
Copy link

@KooShnoo KooShnoo Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this view be translatable?

Copy link
Contributor Author

@Bilka2 Bilka2 Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, I completely forgot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zz9pzza zz9pzza zz9pzza left review comments

+2 more reviewers

@KooShnoo KooShnoo KooShnoo left review comments

@lydia-theda lydia-theda lydia-theda left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Awaiting Review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Bilka2 @zz9pzza @KooShnoo @lydia-theda