* @param string $code Confirmation code
*/
private function attemptConfirm( $code ) {
- $user = User::newFromConfirmationCode( $code, User::READ_LATEST );
+ $user = User::newFromConfirmationCode( $code, User::READ_EXCLUSIVE );
if ( !is_object( $user ) ) {
$this->getOutput()->addWikiMsg( 'confirmemail_invalid' );
return;
}
+ // rate limit email confirmations
+ if ( $user->pingLimiter( 'confirmemail' ) ) {
+ $this->getOutput()->addWikiMsg( 'actionthrottledtext' );
+
+ return;
+ }
+
$user->confirmEmail();
$user->saveSettings();
$message = $this->getUser()->isLoggedIn() ? 'confirmemail_loggedin' : 'confirmemail_success';