From 2aebb12d4d563aa624d8432e1f3826dac24ec2dd Mon Sep 17 00:00:00 2001
From: Lucas Marcouiller <45882981+Hystepik@users.noreply.github.com>
Date: Sat, 28 Sep 2024 11:21:32 +0200
Subject: [PATCH] New add spam protection to bookcal public page (#31156)

Co-authored-by: Hystepik <lmarcouiller@nltechno.com>
---
 htdocs/public/bookcal/index.php | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/htdocs/public/bookcal/index.php b/htdocs/public/bookcal/index.php
index f4bc0a324d6..dbb632fe505 100644
--- a/htdocs/public/bookcal/index.php
+++ b/htdocs/public/bookcal/index.php
@@ -48,6 +48,7 @@ require_once DOL_DOCUMENT_ROOT.'/bookcal/class/calendar.class.php';
 require_once DOL_DOCUMENT_ROOT.'/bookcal/class/availabilities.class.php';
 require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';
 require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php';
+require_once DOL_DOCUMENT_ROOT.'/core/lib/public.lib.php';
 
 // Security check
 if (!isModEnabled('bookcal')) {
@@ -191,6 +192,7 @@ if ($action == 'add' ) {	// Test on permission not required here (anonymous acti
 	$calendar = $object;
 	$contact = new Contact($db);
 	$actioncomm = new ActionComm($db);
+	$nb_post_max = getDolGlobalInt("MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS", 200);
 
 	if (!is_object($user)) {
 		$user = new User($db);
@@ -229,10 +231,17 @@ if ($action == 'add' ) {	// Test on permission not required here (anonymous acti
 				$contact->lastname = GETPOST("lastname");
 				$contact->firstname = GETPOST("firstname");
 				$contact->email = GETPOST("email");
-				$result = $contact->create($user);
-				if ($result < 0) {
+				$contact->ip = getUserRemoteIP();
+
+				if (checkNbPostsForASpeceificIp($contact, $nb_post_max) <= 0) {
 					$error++;
-					$errmsg .= $contact->error." ".implode(',', $contact->errors);
+					$errmsg .= implode('<br>', $contact->errors);
+				} else {
+					$result = $contact->create($user);
+					if ($result < 0) {
+						$error++;
+						$errmsg .= $contact->error." ".implode(',', $contact->errors);
+					}
 				}
 			}
 		} else {
@@ -262,11 +271,16 @@ if ($action == 'add' ) {	// Test on permission not required here (anonymous acti
 				'transparency' =>0,
 			]
 		];
-
-		$result = $actioncomm->create($user);
-		if ($result < 0) {
+		$actioncomm->ip = getUserRemoteIP();
+		if (checkNbPostsForASpeceificIp($actioncomm, $nb_post_max) <= 0) {
 			$error++;
-			$errmsg .= $actioncomm->error." ".implode(',', $actioncomm->errors);
+			$errmsg .= implode('<br>', $actioncomm->errors);
+		} else {
+			$result = $actioncomm->create($user);
+			if ($result < 0) {
+				$error++;
+				$errmsg .= $actioncomm->error." ".implode(',', $actioncomm->errors);
+			}
 		}
 
 		if (!$error) {