Skip to content

Add comprehensive email validation for blocked users #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
akshayutture-augment wants to merge 1 commit into
base: blocked-email-validation-pre
Choose a base branch
from
Open

Add comprehensive email validation for blocked users #8

akshayutture-augment wants to merge 1 commit into from

Conversation

@akshayutture-augment
Copy link
Contributor

@akshayutture-augment akshayutture-augment commented Nov 19, 2025

@nlalonde
Add BlockedEmail, to block signups based on email. Track stats of how…
5f8a130 
… many times each email address is blocked, and last time it was blocked. Move email validation out of User model and into EmailValidator. Signup form remembers which email addresses have failed and shows validation error on email field.
@akshayutture-augment
Copy link
Contributor Author

akshayutture-augment commented Nov 20, 2025

@claude review this PR

1 similar comment
@akshayutture-augment
Copy link
Contributor Author

akshayutture-augment commented Nov 20, 2025

@claude review this PR

@claude
Copy link

claude bot commented Nov 20, 2025
edited
Loading

Claude finished @akshayutture-augment's task —— View job

Code Review Complete ✅

I've reviewed the PR that adds comprehensive email validation for blocked users. Here's my detailed feedback:

Overview

This PR extracts email validation logic from the User model into a separate EmailValidator class and introduces a BlockedEmail model to track and block email addresses. The implementation also includes client-side feedback for rejected emails.

🔴 Critical Issues

1. Race Condition and Side Effect in Validation (app/models/blocked_email.rb:11-18)

The should_block? method has a serious issue - it updates statistics during what should be a read-only check:

def self.should_block?(email)
  record = BlockedEmail.where(email: email).first
  if record
    record.match_count += 1
    record.last_match_at = Time.zone.now
    record.save
  end
  record && record.action_type == actions[:block]
end

Problems:

  • This method is called during validation, which can happen multiple times (e.g., during form re-renders, duplicate validation calls)
  • If the save fails, the method still returns the blocking status, creating inconsistency
  • Multiple concurrent requests could lead to race conditions updating match_count
  • Validation methods should be idempotent and not have side effects

Recommendation: Separate the "check" logic from the "record statistics" logic. The statistics update should happen after successful validation failure, not during the check itself.

2. Missing Newline at End of File (lib/validators/email_validator.rb:24)

The file is missing a newline at the end, which violates POSIX standards and can cause issues with some tools.

3. Logic Error in Validation Check (lib/validators/email_validator.rb:13)

if record.errors[attribute].blank? and BlockedEmail.should_block?(value)

Using and instead of && here is problematic:

  • Lower precedence can cause unexpected behavior
  • Inconsistent with Ruby style guidelines (use && for boolean logic, and for flow control)

⚠️ Major Issues

4. N+1 Query Pattern (app/models/blocked_email.rb:12)

record = BlockedEmail.where(email: email).first

This will execute a query every time an email is validated. Consider:

  • Adding a caching layer for frequently checked emails
  • Using a more efficient lookup mechanism for high-traffic scenarios

5. No Index on action_type (db/migrate/20130724201552_create_blocked_emails.rb)

The migration creates an index on email but not on action_type. Since queries filter by action_type in the should_block? method, consider adding a composite index:

add_index :blocked_emails, [:email, :action_type], unique: true

6. Thread Safety Concern (app/models/blocked_email.rb:14-16)

The increment and save pattern is not atomic:

record.match_count += 1
record.last_match_at = Time.zone.now
record.save

Use atomic updates instead:

record.update_columns(
  match_count: record.match_count + 1,
  last_match_at: Time.zone.now
)

Or better yet, use SQL directly:

BlockedEmail.where(id: record.id).update_all([
  "match_count = match_count + 1, last_match_at = ?", 
  Time.zone.now
])

💡 Medium Issues

7. Inconsistent Error Handling (app/controllers/users_controller.rb:195-200)

The error response now includes errors hash and values, but only when validation fails. Consider:

  • Documenting this behavior change (breaking change for API clients)
  • Ensuring all error paths return consistent structures

8. Memory Leak Potential (app/assets/javascripts/discourse/controllers/create_account_controller.js:17)

rejectedEmails: Em.A([]),

The rejectedEmails array grows indefinitely during the controller's lifetime. If a user tries many emails, this array keeps growing. Consider:

  • Limiting the array size
  • Clearing it when form is reset or successfully submitted

9. No Validation on BlockedEmail Model (app/models/blocked_email.rb:5)

The model only validates email presence and uniqueness, but doesn't validate:

  • Email format (should be a valid email)
  • action_type is within valid enum values
  • match_count is non-negative

📝 Minor Issues / Suggestions

10. Regex Escaping Method (lib/validators/email_validator.rb:19)

domains = setting.gsub('.', '\.')

This is a simple but fragile way to escape. Consider using Regexp.escape for more robust escaping:

domains = setting.split('|').map { |d| Regexp.escape(d) }.join('|')

11. Test Uses Stubs Instead of Real Objects (spec/components/validators/email_validator_spec.rb:11)

BlockedEmail.stubs(:should_block?).with(record.email).returns(false)

While stubbing is faster, consider adding integration tests that use real BlockedEmail records to catch issues with the full flow.

12. Missing Edge Case Tests

The specs don't cover:

  • What happens when should_block? is called with nil or empty string
  • Concurrent updates to the same blocked email
  • Case sensitivity of email matching
  • Unicode characters in email addresses

13. Documentation

Consider adding:

  • Class-level comments explaining the purpose of BlockedEmail and EmailValidator
  • Examples of how to add blocked emails
  • Migration guide for existing installations

✅ Good Practices Observed

  • ✅ Proper extraction of validation logic into a dedicated validator class
  • ✅ Good test coverage for the happy path
  • ✅ Using fabricators for test data
  • ✅ Frontend validation feedback enhances UX
  • ✅ Enum pattern for action types provides extensibility
  • ✅ Unique index on email prevents duplicates

🎯 Summary

The PR successfully extracts email validation logic and adds blocked email functionality, but has some critical issues that should be addressed:

  1. Must Fix: Remove side effects from the should_block? validation method
  2. Must Fix: Add newline at end of email_validator.rb
  3. Should Fix: Replace and with && in boolean expression
  4. Should Fix: Make match_count updates atomic
  5. Consider: Add caching for blocked email lookups in high-traffic scenarios
  6. Consider: Add more comprehensive validation and edge case tests

The overall architecture is sound, but the implementation needs refinement around the statistics tracking mechanism.

Tasks

  • Check repository guidelines (CLAUDE.md)
  • Read changed files and understand implementation
  • Review code for bugs, security issues, and best practices
  • Provide comprehensive feedback

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@akshayutture-augment @nlalonde