Bubble v6.14

BBS has been updated to Bubble v6.14 with a number of bug fixes and minor improvements:

• Fixed publishing a draft comment in an issue tracker.
• Fixed error message when trying to create a subspace but the name is already in use.
• Fixed post summary if the content starts with a hash (accidental Gemtext heading).
• A subspace moderator can delete their subspace if it's empty.
• Poll author sees the results even if they haven't voted.
• Strip file/image attachment URL or link from the caption label if it is accidentally included by the user.
• Polls in subspaces and posts that have been omitted from All Posts do not trigger site-wide notifications.
• The comment prompt mentions that it is possible to end with a backslash to make a draft.
• Post-registration welcome page links directly to Settings for convenience.
• New users default to Oldest First comment order.
• Improved clarity of comment pages.

Security improvements:

• Rate limit for user registrations (site-wide).
• Rate limit for making posts (per IP).
• Added a random token in user registration and profile editing URLs to hinder scripted attacks.
• Added a random token in posting URLs for limited accounts.

=> Posted in: s/Bubble | 🕹️ skyjake [mod, sysop]

2023-10-29 · 1 year ago · 👍 innerteapot, Nono

2 Comments ↓

=> 🕹️ skyjake [OP/mod...] · 2023-10-30 at 10:26:

I only keep track of registration attempts and when unapproved ("limited") users create a post, so there isn't a lot of logged actions happening. There's a database table where SHA-256 hashes of the IP addresses are stored together with a timestamp. (I don't want to keep a record of actual IP addresses.) My rate calculations are based on activity during the last hour. When checking the current rate (i.e., number of entries in the log), it also deletes entries older than one hour so the table doesn't keep growing. That's pretty much it, quite basic.

=> 🕹️ skyjake [OP/mod...] · 2023-10-30 at 15:50:

I did consider an in-memory log as well, but I prefer having a way to inspect the log manually (for potential IP blocking) and have it persist over restarts. Also importantly, the rate limiting is done by the CGI application, so it is being handled by multiple separate Python processes, which complicates shared memory access quite a bit.