Possible to limit search requests?

50sQuiff

Hi guys, I've been putting together a self-hosted Vanilla forum and I'm really happy with how it's going so far. I have one question: is it possible to restrict search to logged-in members only and/or limit the number of search requests in a given period?

I've seen this functionality elsewhere as a forum user. I'd mainly like to guard against excessive server load or a vindictive flood attack (if indeed Vanilla has such a vulnerability). Any help appreciated.

Regards,
Quiff

mcu_hq

Yes it is possible, you need to put a few lines in the search model to limit requests to logged in users. Copy and paste the original into a plugin and modify it there.

peregrine

mcu_hq's solution would stop people if they know the link.

and this would just not show the link

or in a theme that has default.master.tpl - you can prevent option from showing on page (I find it highly unlikely someone would flood search.)

 <div id="Body">
        <div class="Wrapper">
          <div id="Panel">
           {if $User.SignedIn}
             <div class="SearchBox">{searchbox}</div>
            {/if}
             {asset name="Panel"}
          </div>
          <div id="Content">
             {asset name="Content"}
          </div>
        </div>

or modify the default.master.php in theme

mcu_hq

Yes it is possible, you need to put a few lines in the search model to limit requests to logged in users. Copy and paste the original into a plugin and modify it there.

peregrine

mcu_hq's solution would stop people if they know the link.

and this would just not show the link

or in a theme that has default.master.tpl - you can prevent option from showing on page (I find it highly unlikely someone would flood search.)

 <div id="Body">
        <div class="Wrapper">
          <div id="Panel">
           {if $User.SignedIn}
             <div class="SearchBox">{searchbox}</div>
            {/if}
             {asset name="Panel"}
          </div>
          <div id="Content">
             {asset name="Content"}
          </div>
        </div>

or modify the default.master.php in theme

50sQuiff

Thanks you two. I just added if (!$Session->IsValid()) return FALSE; to the search model, then handled it in search's index.php:

if ($this->SearchResults == FALSE) { echo '<p class="NoResults">', sprintf('You must be logged in to search.'), '</p>'; }

I decided to keep the search box visible so visitors know the feature exists. They also get an incentive to register.

Perhaps I'll turn it into a plugin once I've figured out how. I'm a bit of an amateur hacking around to be honest. I'll probably end up doing something similar once I get around to installing the Sphinx plugin.

mcu_hq

Yes, precisely - good job. That was really all there was to it.

I get around to installing the Sphinx plugin

You can issue a pull request here once you implement a feature like this.

50sQuiff

Cool, just reading your github page now. I'd like to use your plugin as a straightforward replacement for the Vanilla Search. I'd rather go without the various widgets and UI dropdowns, etc. Would you consider making a 'barebones' edition?

mcu_hq

you can disable them in the plugin's dashboard

50sQuiff

(I find it highly unlikely someone would flood search.)

I recently witnessed a DDoS using search queries that took down one of my employer's biggest sites. Search had to be disabled until the attackers gave up. So I do think this issue is worth exploring. Now I'm wondering if a flood of POST requests (to /getnew for example) could do some damage too.

you can disable them in the plugin's dashboard

Thank you.