users: improve sockpuppet detection on signup.

Require new accounts to verify their email address if any of the following conditions are true: * Their IP is a proxy. * Their IP is under a partial IP ban. * They're creating a new account while logged in to another account. * Somebody recently created an account from the same IP in the last week. Changes from before: * Allow logged in users to view the signup page and create new accounts. Creating a new account while logged in to your old account is now allowed, but it requires email verification. This is a honeypot. * Creating multiple accounts from the same IP is now allowed, but they require email verification. Previously the same IP check was only for the last day (now it's the last week), and only for an exact IP match (now it's a subnet match, /24 for IPv4 or /64 for IPv6). * New account verification is disabled for private IPs (e.g. 127.0.0.1, 192.168.0.1), to make development or running personal boorus easier (fixes #4618).
2020-12-27 22:47:52 -06:00
parent 7e8f859b24
commit 9dc788c0ce
5 changed files with 115 additions and 42 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -59,7 +59,7 @@ class UsersController < ApplicationController
  end

  def create
-    requires_verification = IpLookup.new(CurrentUser.ip_addr).is_proxy? || IpBan.hit!(:partial, CurrentUser.ip_addr)
+    requires_verification = UserVerifier.new(CurrentUser.user, request).requires_verification?

    @user = authorize User.new(
      last_ip_addr: CurrentUser.ip_addr,