Rate-limit emails sent by the same user in a period of time

Author: mtomilov

Diff for: h/services/email.py

@@ -2,6 +2,7 @@
 
 import smtplib
 from dataclasses import dataclass
+from datetime import UTC, datetime, timedelta
 
 import pyramid_mailer
 import pyramid_mailer.message
@@ -15,6 +16,9 @@
 
 logger = get_task_logger(__name__)
 
+# Limit for the number of mention emails sent by a single user in a day to prevent abuse
+DAILY_SENDER_MENTION_LIMIT = 5
+
 
 @dataclass(frozen=True)
 class EmailData:
@@ -51,6 +55,9 @@ def __init__(
         self._task_done_service = task_done_service
 
     def send(self, email_data: EmailData, task_data: TaskData) -> None:
+        if not self._allow_sending(task_data):
+            return
+
         if self._debug:  # pragma: no cover
             logger.info("emailing in debug mode: check the `mail/` directory")
         try:
@@ -74,6 +81,23 @@ def send(self, email_data: EmailData, task_data: TaskData) -> None:
         )
         self._task_done_service.create(task_data)
 
+    def _allow_sending(self, task_data: TaskData) -> bool:
+        if (
+            task_data.tag == EmailTag.MENTION_NOTIFICATION
+            and self._sender_limit_reached(task_data)
+        ):
+            logger.warning(
+                "Email not sent for sender_id=%s: limit reached",
+                task_data.sender_id,
+            )
+            return False
+        return True
+
+    def _sender_limit_reached(self, task_data: TaskData) -> bool:
+        after = datetime.now(UTC) - timedelta(days=1)
+        count = self._task_done_service.sender_mention_count(task_data.sender_id, after)
+        return count >= DAILY_SENDER_MENTION_LIMIT
+
 
 def factory(_context, request: Request) -> EmailService:
     mailer = pyramid_mailer.get_mailer(request)

Diff for: tests/unit/h/services/email_test.py

@@ -1,9 +1,17 @@
 import smtplib
+from unittest import mock
 from unittest.mock import sentinel
 
 import pytest
 
-from h.services.email import EmailData, EmailService, EmailTag, TaskData, factory
+from h.services.email import (
+    DAILY_SENDER_MENTION_LIMIT,
+    EmailData,
+    EmailService,
+    EmailTag,
+    TaskData,
+    factory,
+)
 
 
 class TestEmailService:
@@ -21,16 +29,17 @@ def test_send_creates_email_message(
         )
 
     def test_send_creates_email_message_with_html_body(
-        self, task_data, email_service, pyramid_mailer
+        self, email_service, task_data, pyramid_mailer
     ):
-        email = EmailData(
+        email_data = EmailData(
             recipients=["[email protected]"],
             subject="My email subject",
             body="Some text body",
             tag=EmailTag.TEST,
             html="<p>An HTML body</p>",
         )
-        email_service.send(email, task_data)
+
+        email_service.send(email_data, task_data)
 
         pyramid_mailer.message.Message.assert_called_once_with(
             recipients=["[email protected]"],
@@ -40,6 +49,60 @@ def test_send_creates_email_message_with_html_body(
             extra_headers={"X-MC-Tags": EmailTag.TEST},
         )
 
+    def test_send_creates_email_with_mention(
+        self, email_data, task_data, email_service, pyramid_mailer, task_done_service
+    ):
+        email_data = EmailData(
+            recipients=["[email protected]"],
+            subject="My email subject",
+            body="Some text body",
+            tag=EmailTag.MENTION_NOTIFICATION,
+        )
+        task_data = TaskData(
+            tag=email_data.tag,
+            sender_id=123,
+            recipient_ids=[124],
+        )
+        task_done_service.sender_mention_count.return_value = DAILY_SENDER_MENTION_LIMIT
+
+        email_service.send(email_data, task_data)
+
+        task_done_service.sender_mention_count.assert_called_once_with(
+            task_data.sender_id, mock.ANY
+        )
+        pyramid_mailer.message.Message.assert_called_once_with(
+            recipients=["[email protected]"],
+            subject="My email subject",
+            body="Some text body",
+            html=None,
+            extra_headers={"X-MC-Tags": EmailTag.MENTION_NOTIFICATION},
+        )
+
+    def test_send_does_not_create_email_with_mention(
+        self, email_data, task_data, email_service, pyramid_mailer, task_done_service
+    ):
+        email_data = EmailData(
+            recipients=["[email protected]"],
+            subject="My email subject",
+            body="Some text body",
+            tag=EmailTag.MENTION_NOTIFICATION,
+        )
+        task_data = TaskData(
+            tag=email_data.tag,
+            sender_id=123,
+            recipient_ids=[124],
+        )
+        task_done_service.sender_mention_count.return_value = (
+            DAILY_SENDER_MENTION_LIMIT + 1
+        )
+
+        email_service.send(email_data, task_data)
+
+        task_done_service.sender_mention_count.assert_called_once_with(
+            task_data.sender_id, mock.ANY
+        )
+        pyramid_mailer.message.Message.assert_not_called()
+
     def test_send_dispatches_email_using_request_mailer(
         self, email_data, task_data, email_service, pyramid_mailer
     ):
@@ -67,18 +130,19 @@ def test_send_logging(self, email_data, task_data, email_service, info_caplog):
         ]
 
     def test_send_logging_with_extra(self, email_data, email_service, info_caplog):
-        user_id = 123
+        sender_id = 123
+        recipient_id = 124
         annotation_id = "annotation_id"
         task_data = TaskData(
             tag=email_data.tag,
-            sender_id=user_id,
-            recipient_ids=[user_id],
+            sender_id=sender_id,
+            recipient_ids=[recipient_id],
             extra={"annotation_id": annotation_id},
         )
         email_service.send(email_data, task_data)
 
         assert info_caplog.messages == [
-            f"Sent email: tag={task_data.tag!r}, sender_id={user_id}, recipient_ids={[user_id]}, annotation_id={annotation_id!r}"
+            f"Sent email: tag={task_data.tag!r}, sender_id={sender_id}, recipient_ids={[recipient_id]}, annotation_id={annotation_id!r}"
         ]
 
     def test_send_creates_task_done(
@@ -87,7 +151,7 @@ def test_send_creates_task_done(
         task_data = TaskData(
             tag=email_data.tag,
             sender_id=123,
-            recipient_ids=[123],
+            recipient_ids=[124],
             extra={"annotation_id": "annotation_id"},
         )
         email_service.send(email_data, task_data)
@@ -108,7 +172,7 @@ def task_data(self):
         return TaskData(
             tag=EmailTag.TEST,
             sender_id=123,
-            recipient_ids=[123],
+            recipient_ids=[124],
         )
 
     @pytest.fixture