Bug 1183975 - limit the number of accounts a new user can add to any multi-user field

3 files changed, 28 insertions, 15 deletions

diff --git a/extensions/AntiSpam/Extension.pm b/extensions/AntiSpam/Extension.pm
index d8981071c..ad8914bd0 100644
--- a/extensions/AntiSpam/Extension.pm
+++ b/extensions/AntiSpam/Extension.pm
@@ -126,9 +126,13 @@ sub _ip_blocking {
 }
 
 #
-# cc count restrictions
+# cc/flag/etc count restrictions
 #
 
+sub _is_limited_user {
+    return Bugzilla->user->creation_age < Bugzilla->params->{antispam_multi_user_limit_age};
+}
+
 sub bug_before_create {
     my ($self, $args) = @_;
     $self->_cc_limit($args->{params}, 'cc');
@@ -141,15 +145,12 @@ sub bug_start_of_set_all {
 
 sub _cc_limit {
     my ($self, $params, $cc_field) = @_;
+    return unless _is_limited_user();
     return unless exists $params->{$cc_field};
 
-    my $user = Bugzilla->user;
     my $cc_count = ref($params->{$cc_field}) ? scalar(@{ $params->{$cc_field} }) : 1;
-    my $limit_count = Bugzilla->params->{antispam_cc_limit_count};
-    my $limit_age = Bugzilla->params->{antispam_cc_limit_age};
-
-    if ($cc_count > $limit_count && $user->creation_age < $limit_age) {
-        _syslog(sprintf("[audit] blocked <%s> from CC'ing %s users", $user->login, $cc_count));
+    if ($cc_count > Bugzilla->params->{antispam_multi_user_limit_count}) {
+        _syslog(sprintf("[audit] blocked <%s> from CC'ing %s users", Bugzilla->user->login, $cc_count));
         delete $params->{$cc_field};
         if (exists $params->{cc} && exists $params->{cc}->{add}) {
             delete $params->{cc}->{add};
@@ -157,6 +158,18 @@ sub _cc_limit {
     }
 }
 
+sub bug_set_flags {
+    my ($self, $args) = @_;
+    return unless _is_limited_user();
+
+    my $flag_count = @{ $args->{new_flags} };
+    if ($flag_count > Bugzilla->params->{antispam_multi_user_limit_count}) {
+        _syslog(sprintf("[audit] blocked <%s> from flaging %s users", Bugzilla->user->login, $flag_count));
+        # empty the arrayref
+        $#{ $args->{new_flags} } = -1;
+    }
+}
+
 #
 # spam user disabling
 #
diff --git a/extensions/AntiSpam/lib/Config.pm b/extensions/AntiSpam/lib/Config.pm
index 92ccca175..754907d22 100644
--- a/extensions/AntiSpam/lib/Config.pm
+++ b/extensions/AntiSpam/lib/Config.pm
@@ -62,13 +62,13 @@ sub get_param_list {
                 "guidelines."
         },
         {
-            name => 'antispam_cc_limit_age',
+            name => 'antispam_multi_user_limit_age',
             type => 't',
             default => '2',
             checker => \&check_numeric,
         },
         {
-            name => 'antispam_cc_limit_count',
+            name => 'antispam_multi_user_limit_count',
             type => 't',
             default => '5',
             checker => \&check_numeric,
diff --git a/extensions/AntiSpam/template/en/default/admin/params/antispam.html.tmpl b/extensions/AntiSpam/template/en/default/admin/params/antispam.html.tmpl
index a21f57e4d..d9e73ff55 100644
--- a/extensions/AntiSpam/template/en/default/admin/params/antispam.html.tmpl
+++ b/extensions/AntiSpam/template/en/default/admin/params/antispam.html.tmpl
@@ -34,12 +34,12 @@
     "This message will be displayed to the user when they try to log " _
     "in after their account is disabled due to abuse."
 
-  antispam_cc_limit_age =>
-    "Accounts created fewer than this many days are restricted to CCing " _
-    "'antispam_cc_limit_count' users at once."
+  antispam_multi_user_limit_age =>
+    "Accounts created fewer than this many days are restricted to CCing/flag/etc " _
+    "'antispam_multi_user_limit_count' users at once."
 
-  antispam_cc_limit_count =>
-    "The maximum number of users new accounts can CC at once.  Attempts to " _
-    "CC more than this many users will result in zero users being CCed."
+  antispam_multi_user_limit_count =>
+    "The maximum number of users new accounts can CC/flag/etc at once.  Attempts to " _
+    "use more than this many users will result in zero users being set."
 }
 %]