From 49eb4d4ddf61e25c5aaab89aa630ddd3c7f3c23d Mon Sep 17 00:00:00 2001 From: ThibG Date: Thu, 10 Dec 2020 06:27:26 +0100 Subject: Add honeypot fields and minimum fill-out time for sign-up form (#15276) * Add honeypot fields to limit non-specialized spam Add two honeypot fields: a fake website input and a fake password confirmation one. The label/placeholder/aria-label tells not to fill them, and they are hidden in CSS, so legitimate users should not fall into these. This should cut down on some non-Mastodon-specific spambots. * Require a 3 seconds delay before submitting the registration form * Fix tests * Move registration form time check to model validation * Give people a chance to clear the honeypot fields * Refactor honeypot translation strings Co-authored-by: Claire --- app/models/user.rb | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'app/models') diff --git a/app/models/user.rb b/app/models/user.rb index 94fee999a..981dc6d47 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -89,6 +89,13 @@ class User < ApplicationRecord validates_with EmailMxValidator, if: :validate_email_dns? validates :agreement, acceptance: { allow_nil: false, accept: [true, 'true', '1'] }, on: :create + # Those are honeypot/antispam fields + attr_accessor :registration_form_time, :website, :confirm_password + + validates_with RegistrationFormTimeValidator, on: :create + validates :website, absence: true, on: :create + validates :confirm_password, absence: true, on: :create + scope :recent, -> { order(id: :desc) } scope :pending, -> { where(approved: false) } scope :approved, -> { where(approved: true) } -- cgit