codidact · Oaphi · Jul 1, 2025 · Jun 24, 2025 · Jul 1, 2025 · Jul 1, 2025
diff --git a/app/controllers/users/registrations_controller.rb b/app/controllers/users/registrations_controller.rb
@@ -1,4 +1,24 @@
 class Users::RegistrationsController < Devise::RegistrationsController
+  def create
+    super do |user|
+      unless user.errors.any?
+        rate_limit = AppConfig.server_settings['registration_rate_limit']
+        ip_list = [user.current_sign_in_ip, request.remote_ip].compact
+        previous_ip_users = User.where(current_sign_in_ip: ip_list).or(User.where(last_sign_in_ip: ip_list))
+                                .where(created_at: rate_limit.seconds.ago..DateTime.now)
+                                .where.not(id: user.id)
+        if previous_ip_users.size.zero?
+          user.send_welcome_tour_message
+          user.ensure_websites
+        else
+          user.delete
+          flash[:danger] = 'You cannot create an account right now because of the volume of accounts originating ' \
+                           'from your network. Try again later.'
+        end
+      end
+    end
+  end
+
   protected
 
   layout 'without_sidebar', only: :edit

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -45,8 +45,6 @@ class User < ApplicationRecord
   scope :active, -> { where(deleted: false) }
   scope :deleted, -> { where(deleted: true) }
 
-  after_create :send_welcome_tour_message, :ensure_websites
-
   def self.list_includes
     includes(:posts, :avatar_attachment)
   end

diff --git a/config/config/server_settings.yml b/config/config/server_settings.yml
@@ -0,0 +1 @@
+registration_rate_limit: 300
diff --git a/test/controllers/users/registrations_controller_test.rb b/test/controllers/users/registrations_controller_test.rb
@@ -0,0 +1,38 @@
+require 'test_helper'
+
+class Users::RegistrationsControllerTest < ActionController::TestCase
+  include Devise::Test::ControllerHelpers
+  include ApplicationHelper
+
+  test 'should register user' do
+    @request.env['devise.mapping'] = Devise.mappings[:user]
+    try_register_user('test', '[email protected]', 'testtest')
+    assert_response(:found)
+    assert_not_nil assigns(:user).id
+    assert_redirected_to root_path
+  end
+
+  test 'should prevent rapid registrations from same IP' do
+    @request.env['devise.mapping'] = Devise.mappings[:user]
+    User.create(username: 'test', email: '[email protected]', password: 'testtest', current_sign_in_ip: '0.0.0.0')
+    try_register_user('test', '[email protected]', 'testtest')
+    assert_response(:found)
+    assert_redirected_to users_path
+    assert_not_nil flash[:danger]
+  end
+
+  test 'ensure Devise errors are handled properly' do
+    @request.env['devise.mapping'] = Devise.mappings[:user]
+    existing_user = users(:standard_user)
+    try_register_user(existing_user.username, existing_user.email, 'testtest')
+    assert_response(:success)
+    assert_not_empty assigns(:user).errors
+  end
+
+  private
+
+  def try_register_user(username, email, password)
+    post :create, params: { user: { username: username, email: email, password: password,
+                                    password_confirmation: password } }
+  end
+end