Merge branch 'dev_aliyun' of http://bdgit.educoder.net/Hjqreturn/educoder into dev_aliyun

app/controllers/accounts_controller.rb

@@ -73,15 +73,21 @@ class AccountsController < ApplicationController
   def login
     @user = User.try_to_login(params[:login], params[:password])
 
-    if @user
+    return normal_status(-2, "错误的账号或密码") if @user.blank?
     # user is already in local database
     return normal_status(-2, "违反平台使用规范，账号已被锁定") if @user.locked?
-      return normal_status(-2, "错误的账号或密码") unless @user.check_password?(params[:password].to_s)
-    else
+
+    login_control = LimitForbidControl::UserLogin.new(@user)
+    return normal_status(-2, "登录密码出错已达上限，将锁定密码1小时") if login_control.forbid?
+
+    password_ok = @user.check_password?(params[:password].to_s)
+    unless password_ok
+      login_control.increment!
       return normal_status(-2, "错误的账号或密码")
     end
 
     successful_authentication(@user)
+    login_control.clear # 重置每日密码错误次数
 
     session[:user_id] = @user.id
   end

app/controllers/application_controller.rb

@@ -86,8 +86,18 @@ class ApplicationController < ActionController::Base
 		when 8, 3, 5
 			# 邮箱类型的发送
 			sigle_para = {email: value}
+			# 60s内不能重复发送
+			send_email_limit_cache_key = "send_email_60_second_limit:#{value}"
+			tip_exception(-2, '请勿频繁操作') if Rails.cache.exist?(send_email_limit_cache_key)
+
+			# 短时间内不能大量发送
+			send_email_control = LimitForbidControl::SendEmailCode.new(value)
+			tip_exception(-2, '邮件发送太频繁，请稍后再试') if send_email_control.forbid?
 			begin
 				UserMailer.register_email(value, code).deliver_now
+
+				Rails.cache.write(send_email_limit_cache_key, 1, expires_in: 1.minute)
+				send_email_control.increment!
 				# Mailer.run.email_register(code, value)
 			rescue Exception => e
 				logger_error(e)

app/libs/limit_forbid_control.rb

@@ -0,0 +1,2 @@
+module LimitForbidControl
+end

app/libs/limit_forbid_control/base.rb

@@ -0,0 +1,56 @@
+class LimitForbidControl::Base
+  def initialize
+  end
+
+  def cache_key
+    raise 'Please overwrite method :cache_Key'
+  end
+
+  def forbid_cache_key
+    "#{cache_key}:forbid"
+  end
+
+  def allow_times
+    5
+  end
+
+  def cumulative_expires
+    1.days
+  end
+
+  def forbid_expires
+    1.hours
+  end
+
+  def forbid?
+    Rails.cache.read(forbid_cache_key)
+  end
+
+  def increment!
+    value = Rails.cache.read(cache_key)
+    value = value.to_i + 1
+
+    # 锁定
+    if value > allow_times.to_i
+      Rails.cache.write(forbid_cache_key, true, expires_in: forbid_expires)
+      Rails.cache.delete(cache_key)
+    else
+      Rails.cache.write(cache_key, value, expires_in: cumulative_expires)
+    end
+  end
+
+  def clear
+    Rails.cache.delete(forbid_cache_key)
+    Rails.cache.delete(cache_key)
+  end
+
+  private
+
+  def redis_cache?
+    Rails.cache.is_a?(ActiveSupport::Cache::RedisStore)
+  end
+
+  def day
+    Time.current.strftime('%Y%m%d')
+  end
+end

app/libs/limit_forbid_control/send_email_code.rb

@@ -0,0 +1,25 @@
+class LimitForbidControl::SendEmailCode < LimitForbidControl::Base
+  attr_reader :email
+
+  def initialize(email)
+    super()
+    @email = email
+  end
+
+  def allow_times
+    EduSetting.get('daily_send_email_code_times').presence || 5
+  end
+
+  def forbid_expires
+    num = EduSetting.get('daily_send_email_code_forbid_time').presence.to_i
+    num.zero? ? 10.minutes : num.to_i.hours
+  end
+
+  def cumulative_expires
+    1.hours
+  end
+
+  def cache_key
+    @_cache_key ||= "limit_forbid_control:#{day}:send_email_code:#{email}"
+  end
+end

app/libs/limit_forbid_control/user_login.rb

@@ -0,0 +1,25 @@
+class LimitForbidControl::UserLogin < LimitForbidControl::Base
+  attr_reader :user
+
+  def initialize(user)
+    super()
+    @user = user
+  end
+
+  def allow_times
+    EduSetting.get('daily_error_password_times').presence || 5
+  end
+
+  def forbid_expires
+    num = EduSetting.get('daily_error_password_forbid_time').presence.to_i
+    num.zero? ? 1.hours : num.to_i.hours
+  end
+
+  def cumulative_expires
+    1.days
+  end
+
+  def cache_key
+    @_cache_key ||= "limit_forbid_control:#{day}:user_login:#{user.id}"
+  end
+end

public/react/src/common/UrlTool.js

@@ -71,3 +71,18 @@ export function toPath(path) {
 export function getTaskUrlById(id) {
 	return `/tasks/${id}`
 }
+
+
+export function htmlEncode(str) {
+	var s = "";
+	if (str.length === 0) {
+		return "";
+	}
+	s = str.replace(/&/g, "&");
+	s = s.replace(/</g, "&lt;");
+	s = s.replace(/>/g, "&gt;");
+	s = s.replace(/ /g, "&nbsp;");
+	s = s.replace(/\'/g, "&#39;");//IE下不支持实体名称
+	s = s.replace(/\"/g, "&quot;");
+	return s;
+}

public/react/src/common/educoder.js

@@ -4,7 +4,7 @@ import { from } from '_array-flatten@2.1.2@array-flatten';
 
 export { getImageUrl as getImageUrl, getUrl as getUrl, getUrl2 as getUrl2, setImagesUrl as setImagesUrl
         , getUploadActionUrl as getUploadActionUrl, getUploadActionUrlOfAuth as getUploadActionUrlOfAuth
-        , getTaskUrlById as getTaskUrlById, TEST_HOST } from                './UrlTool';
+        , getTaskUrlById as getTaskUrlById, TEST_HOST ,htmlEncode as htmlEncode } from                './UrlTool';
 export { default as queryString } from                './UrlTool2';
  
 export { SnackbarHOC as SnackbarHOC } from                './SnackbarHOC';

public/react/src/modules/forums/MemoDetail.js

@@ -22,7 +22,7 @@ import {ImageLayerOfCommentHOC} from '../page/layers/ImageLayerOfCommentHOC'
 import MemoDetailKEEditor from './MemoDetailKEEditor'
 import MemoDetailMDEditor from './MemoDetailMDEditor'
 
-import { bytesToSize, CBreadcrumb } from 'educoder'
+import { bytesToSize, CBreadcrumb ,htmlEncode} from 'educoder'
 import { Tooltip } from 'antd'
 
 // import CBreadcrumb from '../courses/common/CBreadcrumb'
@@ -246,6 +246,8 @@ class MemoDetail extends Component {
       if (commentContent) {
         commentContent = commentContent.replace(/(\n<p>\n\t<br \/>\n<\/p>)*$/g,'');
       }
+
+			commentContent=htmlEncode(commentContent)
       axios.post(url, {
             parent_id: id,
             content: commentContent
@@ -491,6 +493,7 @@ class MemoDetail extends Component {
       const url = `/memos/reply.json`;
       let { comments } = this.state;
       const user = this._getUser();
+			content=htmlEncode(content)
       axios.post(url, {
           parent_id: memo.id,
           content: content

public/react/src/modules/message/js/MessagChat.js

@@ -1,6 +1,6 @@
 import React, { Component } from 'react';
 import "../css/messagemy.css"
-import {getImageUrl,markdownToHTML} from 'educoder';
+import {getImageUrl,markdownToHTML,htmlEncode} from 'educoder';
 import { Modal,Input,Icon,Tooltip,Spin} from 'antd';
 import axios from 'axios';
 import TPMMDEditor from '../../tpm/challengesnew/TPMMDEditor';
@@ -417,6 +417,7 @@ class MessagChat extends Component{
 	  let  contents=this.messageRef.current.getValue().trim();
 		const query = this.props.location.search;
 		let target_ids = query.split('?target_ids=');
+		contents=htmlEncode(contents)
 		let url = `/users/${this.props.match.params.userid}/private_messages.json`;
 		axios.post(url, {
 				target_id: target_ids[1],

public/react/src/modules/message/messagemodal/WriteaprivateletterModal.js

@@ -2,7 +2,7 @@ import React, { Component } from 'react';
 import { Modal,Input,Icon,Tooltip,Spin} from 'antd';
 import axios from 'axios';
 // import '../../modules/user/common.css';
-import {getImageUrl} from 'educoder';
+import {getImageUrl,htmlEncode} from 'educoder';
 //完善个人资料
 class WriteaprivateletterModal extends Component {
 
@@ -58,6 +58,7 @@ class WriteaprivateletterModal extends Component {
 	//发送私信
 	SendprivatemessageAPI=(idvalue,contentvalue)=>{
 		const  url =`/users/${this.props.current_user.user_id}/private_messages.json`
+		contentvalue=htmlEncode(contentvalue)
 		let data={
 			target_id:idvalue,
 			content:contentvalue,