From 6d35a697af56a5677a76f5056db1c8c9a665aeda Mon Sep 17 00:00:00 2001
From: Greg Price <greg@zulipchat.com>
Date: Mon, 4 Dec 2017 21:31:21 -0800
Subject: [PATCH] antispam: Don't let new accounts in open realms immediately
 send invites.

We haven't had a problem with this yet, but this should help prevent it.
---
 zerver/lib/actions.py    | 11 +++++++++++
 zproject/dev_settings.py |  2 ++
 zproject/settings.py     |  5 +++++
 3 files changed, 18 insertions(+)

diff --git a/zerver/lib/actions.py b/zerver/lib/actions.py
index b6e8c69d7a..b0ebba6c1e 100644
--- a/zerver/lib/actions.py
+++ b/zerver/lib/actions.py
@@ -4017,6 +4017,17 @@ def do_invite_users(user_profile: UserProfile,
 
     check_invite_limit(user_profile, len(invitee_emails))
 
+    realm = user_profile.realm
+    if not realm.invite_required:
+        # Inhibit joining an open realm to send spam invitations.
+        min_age = datetime.timedelta(days=settings.INVITES_MIN_USER_AGE_DAYS)
+        if (user_profile.date_joined > timezone_now() - min_age
+                and not user_profile.is_realm_admin):
+            raise InvitationError(
+                _("Your account is too new to send invites for this organization. "
+                  "Ask an organization admin, or a more experienced user."),
+                [], sent_invitations=False)
+
     validated_emails = []  # type: List[Text]
     errors = []  # type: List[Tuple[Text, str]]
     skipped = []  # type: List[Tuple[Text, str]]
diff --git a/zproject/dev_settings.py b/zproject/dev_settings.py
index 8dfb6f37e8..bf2d0f8081 100644
--- a/zproject/dev_settings.py
+++ b/zproject/dev_settings.py
@@ -47,7 +47,9 @@ PHYSICAL_ADDRESS = "Zulip Headquarters, 123 Octo Stream, South Pacific Ocean"
 EXTRA_INSTALLED_APPS = ["zilencer", "analytics"]
 # Disable Camo in development
 CAMO_URI = ''
+
 OPEN_REALM_CREATION = True
+INVITES_MIN_USER_AGE_DAYS = 0
 
 EMBEDDED_BOTS_ENABLED = True
 
diff --git a/zproject/settings.py b/zproject/settings.py
index 4aba2a1bfa..b647252f5d 100644
--- a/zproject/settings.py
+++ b/zproject/settings.py
@@ -302,6 +302,11 @@ DEFAULT_SETTINGS.update({
     'MAX_ICON_FILE_SIZE': 5,
     'MAX_EMOJI_FILE_SIZE': 5,
 
+    # Limits to help prevent spam, in particular by sending invitations.
+    #
+    # A non-admin user who's joined an open realm this recently can't invite at all.
+    'INVITES_MIN_USER_AGE_DAYS': 3,
+
     # Controls for which links are published in portico footers/headers/etc.
     'EMAIL_DELIVERER_DISABLED': False,
     'REGISTER_LINK_DISABLED': None,