Merge pull request #884 from alphagov/dont-allow-list-creator-and-spo…

…nsor-domains Don't apply domain allow list to creators, sponsors and feedback
alphagov · Nov 8, 2023 · ced6264 · ced6264
2 parents 149bd8f + 3f8b03c
commit ced6264
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 4 deletions.
diff --git a/app/models/feedback.rb b/app/models/feedback.rb
@@ -34,6 +34,10 @@ def domain
     nil
   end
 
+  def allowed_domains?
+    false
+  end
+
   private
 
   def rate_limit

diff --git a/app/models/rate_limit.rb b/app/models/rate_limit.rb
@@ -93,7 +93,10 @@ def exceeded?(signature)
     return true if ip_geoblocked?(signature.ip_address)
     return true if domain_blocked?(signature.domain)
     return false if ip_allowed?(signature.ip_address)
-    return false if domain_allowed?(signature.domain)
+
+    if signature.allowed_domains?
+      return false if domain_allowed?(signature.domain)
+    end
 
     if signature.is_a?(Feedback)
       feedback_rate_exceeded?(signature)

diff --git a/app/models/signature.rb b/app/models/signature.rb
@@ -758,6 +758,10 @@ def rate(window = 5.minutes)
     end
   end
 
+  def allowed_domains?
+    !(creator? || sponsor?)
+  end
+
   def update_uuid
     update_column(:uuid, generate_uuid)
   end

diff --git a/features/charlie_creates_a_petition.feature b/features/charlie_creates_a_petition.feature
@@ -205,7 +205,7 @@ Scenario: Charlie creates a petition when blocked
 Scenario: Charlie creates a petition when his IP address is rate limited
   Given the creator rate limit is 1 per hour
   And there are no allowed IPs
-  And there are no blocked IPs
+  And the domain "wimbledon.com" is allowed
   And there are 2 petitions created from this IP address
   And I start a new petition
   And I fill in the petition details

diff --git a/features/laura_signs_charlies_petition_as_a_sponsor.feature b/features/laura_signs_charlies_petition_as_a_sponsor.feature
@@ -90,7 +90,7 @@ Feature: As Laura, a sponsor of my friend Charlie's petition
   Scenario: Laura does not get an email when IP address is rate limited
     Given the sponsor rate limit is 1 per hour
     And there are no allowed IPs
-    And there are no allowed domains
+    And the domain "example.com" is allowed
     And there is a sponsor already from this IP address
     When I visit the "sponsor this petition" url I was given
     And I fill in my details as a sponsor

diff --git a/features/user_sends_feedback.feature b/features/user_sends_feedback.feature
@@ -36,7 +36,7 @@ Feature: User sends feedback
   Scenario: User is blocked by IP address rate limiting
     Given the feedback rate limit is 1 per hour
     And there are no allowed IPs
-    And there are no allowed domains
+    And the domain "example.com" is allowed
     And there are 2 feedbacks created from this IP address
     And I am on the feedback page
     When I fill in "Comments" with "I must protest"