There is no throttle applied to profile post reactions

Affected version


Active member
A user has set up a bot on my website which is currently liking every profile post ever made simply by spamming this request:

[06/Apr/2021:17:04:44 +0000] "POST /profile-posts/214749/react HTTP/1.1" 303 0 "/profile-posts/145466/react?reaction_id=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36"

Then profile post ID + 1 and resubmitting. This is allowed to occur as fast as your webserver and database allow it to. The end result is a flood of notifications. If you had a profile set up with links to commercial services (i.e. spam) this would be a great way to deliver your URL to every user on the site.

I'm not sure if this applies to other reactions, but profile posts are likely the most ideal target as they rarely get deleted and are almost always available to registered users without any special permissions.