chromakode · davean · Nov 27, 2013 · Dec 4, 2013 · Dec 4, 2013 · Dec 4, 2013
diff --git a/danceparty/default_settings.py b/danceparty/default_settings.py
@@ -6,5 +6,7 @@
 CDN_HTTPS_HOST = None
 CACHE_POLL_INTERVAL = 30
 GA_ID = None
+UPLOAD_RATE_PERIOD = 86400 # 1 day
+UPLOAD_RATE_COUNT = 2
 RG_VERIFY_ENDPOINT = None
-RG_VERIFY_SECRET = None
+RG_VERIFY_SECRET = None
diff --git a/danceparty/main.py b/danceparty/main.py
@@ -86,7 +86,11 @@ def create_db():
             'all': {
                 'map': "function(doc) {  emit(doc.ts, doc) }"
             },
-        },
+            'upload_rate': {
+                'map': "function(doc) { if(doc.status != 'approved') { emit(doc.ip, [doc.ts]) } }",
+                'reduce': "function (key, values, rereduce) { return [].concat.apply([], values).sort().reverse().slice(0,%d); }"%(app.config['UPLOAD_RATE_COUNT']*2) #it is assumed if the majority of the uploads in the bucket are approved that they aren't spammers.
+            },
+        }
     }
     doc = db.get(views['_id'], {})
     if doc.get('views') != views['views']:
@@ -275,6 +279,12 @@ def remove_dance(dance_id):
 
 @app.route('/dance', methods=['POST'])
 def upload_dance():
+    recent = g.db.view('danceparty/upload_rate',group=True, group_level=1, stale='update_after', key=request.remote_addr)
+    if recent:
+        now = time.time()
+        if app.config['UPLOAD_RATE_COUNT'] <= \
+                len(filter(lambda t: t>(now - app.config['UPLOAD_RATE_PERIOD']), recent.rows[0].value)):
+            abort(403)
     if app.config['RG_VERIFY_ENDPOINT']:
         user_id, user_token = request.form['user_id'], request.form['user_token']
         check_token = hmac.new(app.config['RG_VERIFY_SECRET'], user_id, hashlib.sha1).hexdigest()