Cache what a crop is harvested for (#4582 )

Merge pull request #4581 from Growstuff/add-rack-attack-protection-3014929071908440304
Add Rack::Attack rate limiting and Fail2Ban protection
2026-05-25 09:19:15 -04:00 · 2026-04-27 13:32:45 +09:30 · 2026-04-27 13:23:17 +09:30 · 2026-04-27 03:52:11 +00:00 · 2026-04-27 02:15:17 +09:30 · 2026-04-27 01:48:35 +09:30
12 changed files with 183 additions and 14 deletions
--- a/2
+++ b/2
@@ -116,6 +116,8 @@ gem 'xmlrpc' # fixes rake error - can be removed if not needed later

 gem 'puma'

+gem 'rack-attack'
+
 gem 'loofah', '>= 2.19.1'
 gem 'rack-protection', '>= 2.0.1'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -503,6 +503,8 @@ GEM
    query_diet (0.7.3)
    racc (1.8.1)
    rack (2.2.23)
+    rack-attack (6.8.0)
+      rack (>= 1.0, < 4)
    rack-cors (2.0.2)
      rack (>= 2.0.0)
    rack-protection (3.2.0)
@@ -841,6 +843,7 @@ DEPENDENCIES
  pry
  puma
  query_diet
+  rack-attack
  rack-cors
  rack-protection (>= 2.0.1)
  rails (~> 7.2.0)
--- a/app/controllers/charts/crops_controller.rb
+++ b/app/controllers/charts/crops_controller.rb
@@ -14,9 +14,12 @@ module Charts

    def harvested_for
      @crop = Crop.find_by!(slug: params[:crop_slug])
-      render json: Harvest.joins(:plant_part)
-        .where(crop: @crop)
-        .group("plant_parts.name").count(:id)
+      data = Rails.cache.fetch("#{@crop.cache_key_with_version}/harvested_for", expires_in: 1.day) do
+        Harvest.joins(:plant_part)
+          .where(crop: @crop)
+          .group("plant_parts.name").count(:id)
+      end
+      render json: data
    end

    private
--- a/app/models/member.rb
+++ b/app/models/member.rb
@@ -196,4 +196,25 @@ class Member < ApplicationRecord
  def get_block(member)
    blocks.find_by(blocked_id: member.id) if already_blocking?(member)
  end
+
+  def has_activity?
+    (gardens.exists? && gardens.count > 1) ||
+      plantings.exists? ||
+      harvests.exists? ||
+      seeds.exists? ||
+      photos.exists? ||
+      forums.exists? ||
+      activities.exists? ||
+      posts.exists? ||
+      comments.exists? ||
+      requested_crops.exists? ||
+      created_crops.exists? ||
+      likes.exists? ||
+      created_alternate_names.exists? ||
+      created_scientific_names.exists? ||
+      follows.exists? ||
+      inverse_follows.exists? ||
+      blocks.exists? ||
+      inverse_blocks.exists?
+  end
 end
--- a/app/views/alternate_names/_form.html.haml
+++ b/app/views/alternate_names/_form.html.haml
@@ -22,8 +22,8 @@
      .form-group
        = f.label :crop_id, class: 'control-label col-md-2'
        .col-md-8
-          = collection_select(:alternate_name, :crop_id,
-                              Crop.all, :id, :name,
+          = select(:alternate_name, :crop_id,
+                              Crop.order(:name).pluck(:name, :id),
                              { selected: @alternate_name.crop_id || @crop.id },
                              class: 'form-control')

--- a/app/views/crops/_form.html.haml
+++ b/app/views/crops/_form.html.haml
@@ -85,7 +85,7 @@

      -# Only crop wranglers see the crop hierarchy (for now)
      - if can? :wrangle, @crop
-        = f.collection_select(:parent_id, Crop.all.order(:name), :id, :name,
+        = f.select(:parent_id, Crop.order(:name).pluck(:name, :id),
          { include_blank: true, label: 'Parent crop'})
        %span.help-block Optional. For setting up crop hierarchies for varieties etc.

--- a/app/views/crops/show.html.haml
+++ b/app/views/crops/show.html.haml
@@ -73,10 +73,11 @@
              = pie_chart crop_harvested_for_path(@crop, format: :json), legend: "bottom"

    - if @crop.varieties.any?
-      %section.varieties
-        %h2 Varieties
-        .index-cards
-          = render 'varieties', crop: @crop
+      - cache [@crop, 'varieties'] do
+        %section.varieties
+          %h2 Varieties
+          .index-cards
+            = render 'varieties', crop: @crop

    %section.crop-map
      %h2
@@ -134,9 +135,11 @@
    = render 'harvests', crop: @crop
    = render 'find_seeds', crop: @crop

-    = render 'openfarm_data', crop: @crop
+    - cache [@crop, 'openfarm_data'] do
+      = render 'openfarm_data', crop: @crop

-    = render 'nutritional_data', crop: @crop
+    - cache [@crop, 'nutritional_data'] do
+      = render 'nutritional_data', crop: @crop

    = cute_icon
    .card
--- a/app/views/scientific_names/_form.html.haml
+++ b/app/views/scientific_names/_form.html.haml
@@ -17,8 +17,8 @@
  .form-group
    = f.label :crop_id, class: 'control-label col-md-2'
    .col-md-8
-      = collection_select(:scientific_name, :crop_id, Crop.all.order(:name), :id,
-        :name, { selected: @scientific_name.crop_id || @crop.id },
+      = select(:scientific_name, :crop_id, Crop.order(:name).pluck(:name, :id),
+        { selected: @scientific_name.crop_id || @crop.id },
        class: 'form-control')
  .form-group
    = f.label :name, class: 'control-label col-md-2'
--- a/config/application.rb
+++ b/config/application.rb
@@ -73,6 +73,8 @@ module Growstuff
    config.newsletter_list_id = ENV.fetch('GROWSTUFF_MAILCHIMP_NEWSLETTER_ID', nil)

    # config.active_record.raise_in_transactional_callbacks = true
+    config.middleware.insert_before 0, Rack::Attack
+
    config.middleware.insert_before 0, Rack::Cors do
      allow do
        origins '*'
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+class Rack::Attack
+  ### Throttle Config ###
+
+  if Rails.env.production?
+    # Throttle requests to /plantings, /harvests, and /members to 10 per minute per IP
+    # Includes API routes
+    throttle('req/ip/restricted_routes', limit: 20, period: 1.minute) do |req|
+      if req.path =~ %r{^/(plantings|harvests|members)(/|$)} || req.path =~ %r{^/api/v1/(plantings|harvests|members)(/|$)}
+        req.ip
+      end
+    end
+
+    ### Fail2Ban Config ###
+
+    # Block IPs that make too many requests to suspicious paths
+    # After 5 "bad" requests in 10 minutes, block the IP for 1 hour
+    blocklist('fail2ban/pentesters') do |req|
+      Fail2Ban.filter("pentesters-#{req.ip}", maxretry: 5, findtime: 10.minutes, bantime: 1.hour) do
+        # The count for the IP is incremented if the return value is truthy.
+        req.path.include?('wp-admin') ||
+          req.path.include?('wp-login') ||
+          req.path.include?('cgi-bin') ||
+          req.path.end_with?('.php', '.asp', '.aspx', '.jsp', '.exe', '.env', '.git')
+      end
+    end
+  end
+
+  ### Custom Response Headers ###
+
+  # Add Retry-After header to throttled responses
+  self.throttled_response_retry_after_header = true
+end
--- a/lib/tasks/members.rake
+++ b/lib/tasks/members.rake
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+namespace :members do
+  desc "Remove inactive members with no activity and last login > 24 months ago"
+  # usage: rake members:cleanup_inactive
+  # usage: DRY_RUN=true rake members:cleanup_inactive
+  task cleanup_inactive: :environment do
+    limit_date = 3.years.ago
+    dry_run = ENV.fetch('DRY_RUN', 'false') == 'true'
+
+    inactive_members = Member.where("last_sign_in_at < ? OR (last_sign_in_at IS NULL AND created_at < ?)", limit_date, limit_date)
+
+    count = 0
+    inactive_members.find_each do |member|
+      # Check for activity using the model method
+      unless member.has_activity?
+        if dry_run
+          puts "[DRY RUN] Would delete inactive member: #{member.login_name} (ID: #{member.id}, Last login: #{member.last_sign_in_at || 'Never'}, Created: #{member.created_at})"
+        else
+          puts "Deleting inactive member: #{member.login_name} (ID: #{member.id}, Last login: #{member.last_sign_in_at || 'Never'}, Created: #{member.created_at})"
+          member.destroy
+        end
+        count += 1
+      end
+    end
+
+    if dry_run
+      puts "Total inactive members that would be deleted: #{count}"
+    else
+      puts "Total inactive members deleted: #{count}"
+    end
+  end
+end
--- a/spec/tasks/members_spec.rb
+++ b/spec/tasks/members_spec.rb
@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'rake'
+
+describe 'members:cleanup_inactive' do
+  before :all do
+    Rails.application.load_tasks
+  end
+
+  let(:cleanup_task) { Rake::Task['members:cleanup_inactive'] }
+
+  before do
+    cleanup_task.reenable
+  end
+
+  it "deletes inactive members with no gardens and no other activity" do
+    inactive_no_activity = create(:member, last_sign_in_at: 25.months.ago)
+
+    # We must explicitly remove the default garden to test the "no gardens" condition
+    inactive_no_activity.gardens.destroy_all
+    expect(inactive_no_activity.gardens.count).to eq(0)
+
+    cleanup_task.invoke
+
+    expect(Member.exists?(inactive_no_activity.id)).to be_falsey
+  end
+
+  it "does not delete inactive members with a garden (even if empty)" do
+    inactive_with_garden = create(:member, last_sign_in_at: 25.months.ago)
+    # They have 1 default garden
+    expect(inactive_with_garden.gardens.count).to eq(1)
+
+    cleanup_task.invoke
+
+    expect(Member.exists?(inactive_with_garden.id)).to be_truthy
+  end
+
+  it "does not delete members with recent login" do
+    recent_member = create(:member, last_sign_in_at: 1.month.ago)
+    recent_member.gardens.destroy_all
+
+    cleanup_task.invoke
+
+    expect(Member.exists?(recent_member.id)).to be_truthy
+  end
+
+  it "does not delete inactive members with activity (posts)" do
+    inactive_with_post = create(:member, last_sign_in_at: 25.months.ago)
+    inactive_with_post.gardens.destroy_all
+    create(:post, author: inactive_with_post)
+
+    cleanup_task.invoke
+
+    expect(Member.exists?(inactive_with_post.id)).to be_truthy
+  end
+
+  it "honors DRY_RUN environment variable" do
+    inactive_no_activity = create(:member, last_sign_in_at: 25.months.ago)
+    inactive_no_activity.gardens.destroy_all
+
+    ENV['DRY_RUN'] = 'true'
+    cleanup_task.invoke
+    ENV['DRY_RUN'] = nil
+
+    expect(Member.exists?(inactive_no_activity.id)).to be_truthy
+  end
+end
Author	SHA1	Message	Date
Daniel O'Connor	bd637c3310	Cache what a crop is harvested for (#4582 )	2026-04-27 13:32:45 +09:30
Daniel O'Connor	9abb0d02b9	Merge pull request #4581 from Growstuff/add-rack-attack-protection-3014929071908440304 Add Rack::Attack rate limiting and Fail2Ban protection	2026-04-27 13:23:17 +09:30
Daniel O'Connor	2e56f8cb2f	Cache what a crop is harvested for	2026-04-27 03:52:11 +00:00
Daniel O'Connor	3127f45d0f	Merge pull request #4578 from Growstuff/member-inactive-delete Delete inactive members with no activity in 3 years	2026-04-27 02:15:17 +09:30
Daniel O'Connor	15571940f5	Add fragment cache for crop partials (#4577 )	2026-04-27 01:48:35 +09:30
Daniel O'Connor	8e7dd25e98	Add rake task to cleanup inactive members (#4574 ) * Add members:cleanup_inactive rake task This task identifies and deletes members who have not logged in for over 24 months and have no gardens, plantings, or other activity (posts, comments, seeds, harvests, etc). Includes support for DRY_RUN=true to preview deletions. Added tests in spec/tasks/members_spec.rb. Co-authored-by: CloCkWeRX <365751+CloCkWeRX@users.noreply.github.com> * Refactor activity check to Member#has_activity? and update rake task - Added `Member#has_activity?` to encapsulate the check for gardens, plantings, and other activity. - Updated `members:cleanup_inactive` rake task to use `Member#has_activity?`. - Maintained `DRY_RUN` support and existing tests. Co-authored-by: CloCkWeRX <365751+CloCkWeRX@users.noreply.github.com> * Apply suggestion from @CloCkWeRX * Apply suggestions from code review Co-authored-by: Daniel O'Connor <daniel.oconnor@gmail.com> --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>	2026-04-27 01:40:54 +09:30
Daniel O'Connor	2723599f27	Add fragment cache for crop partials	2026-04-26 16:07:29 +00:00
Daniel O'Connor	98c8bdc0bb	Merge pull request #4564 from Growstuff/memory-optimization-2149092598558110155 Memory usage optimization	2026-04-27 00:37:51 +09:30