By sending multiple times the same form (CTRL+R, and confirm send data), the email address get spammed. No session check is avoiding multiple posts. (you should be able to send it once for session)

We allow same email used again and again ?
I think only one token by email are allowed here.

Hello @DenisChenu actually, the same token gets spammed many times. Maybe only one request per session is not enough, when people can't receive instantly their email for example.
So, maybe a calm-down throttle, configurable by advanced settings is enough to limit sending one email per minute / N minutes for the same token.

It is true, someone could spam someone else's email account using Limesurvey. But only one participant is being created with the same email address.

I'm sorry I wrong typed Expected result. As you noted, registration is ok, happens only once. Correct user story is:
As administrator I want survey participant to get only one notification per session so that spamming personal or others email address can be limited.

Implementation suggestion:

• When "public registration" happens, participant have a token and invited-datetime. Just update invited-datetime each time same email gets registered for participation.
• Add an integer in advanced configuration "calmdown-notification-onregistration-seconds" (default 60)
• When "public registration" form is posted, check for existing invited datetime, convert to unixtimestamp integer, check against NOW() timestamp.
• Validate if difference is greater than calmdown configuration. If can't validate simply throw an error at form submission with translatable string "Please wait a few moments before sending another notification"

Optional UI-UX interface

• a javascript time counter tells the user when submit form again
• a button submit the form again
  Useful when participant didn't recieved their email message.

If you want to do very well perfectly. Form should trigger "invited datetime" only first time when not existant. On token creation.
Then each time participant is already registered, system could update "reminder datetime".

Instead of using a new configuration value, maybe already existent reminder notification rules can be used.

• Max reminders:
• Min days between reminders:

But I'm still in favour for a configurable time in seconds.

It is true, someone could spam someone else's email account using Limesurvey. But only one participant is being created with the same email address.

Oh yes : in 3.X : we send "Already registered" but no email.
In 5.X : already registered + email sent

New global configuration ? Throttle to 3600s by default ? No need JS

https://github.com/LimeSurvey/LimeSurvey/pull/4170

In 5.X : already registered + email sent

We need to keep this :it's a good solution. But need a throttle (and a different message) byè config.php (for starting, adding it in GUI are a feature)

@tibor.pacalat

Right now the solution avoids spam. Only sends email once.
Shall we add as well throttling to the solution so multiple emails can be sent with some time in between them?

Only sends email once.

It was a feature request done between 3 and 5 : receive the email when registered a second time with same email.

There is a sent field on the token tables.
We could use that to at least send the email once per day.
Shall we?

There is a sent field on the token tables.

And we update it when we send email by register.

We could use that to at least send the email once per day.

Yes, or by a config.php setting (best IMHO)

by a config.php setting (best IMHO)

That would be a bigger scope, a Feature Request.
We would need to create an extra field for tracking how many times have we sent the token.
Not complicate, but would ask @tibor.pacalat that we can work on that here.

Is it necessary to save how many times a token was sent? I agree too much implementation.
In previous posts I just suggested to write actual time to "creation datetime", when token is created, and writing into "remainder datetime" any time participant get a notification.
In this situation you can control "notification age" and throttle or not. No need for adding new fields.

https://bugs.limesurvey.org/view.php?id=19960#c82018

and writing into "remainder datetime" any time participant get a notification.

That may create confusion in the reminder system.
Still, we have a sent field we could use.

What we wouldn't be able to do is control how many times per day (or absolute) to be sent.
That would be out of scope. Only once per day max

@tibor.pacalat we need a decision here. Thanks!

@gabrieljenik I would say once per day max is fine. Can we also provide feedback to the user?

Can we also provide feedback to the user?

Yes, we would send different messages for the different situations

We would need to create an extra field for tracking how many times have we sent the token.

No, just limit by hour, you write day : i think best is to set a value in hour (maybe minute) to do not send it each second.

Just : if now - sent < app()->getConfig('register_throttle')

There are no mimit by X , just don't send it each miliseocnds. I think one hour by default is great. Like when trying to register on any website : you can ask a second code after X minutes.

Adding a minimum delay between each sending is what needs to be done to avoid large-scale spam and the blocking of the email address.
I just ask that this delay be in the configuration and not as a fixed value in the code."

Updated the PR.

https://github.com/LimeSurvey/LimeSurvey/pull/4170/files#diff-6f4ac27feb3ec162fd8a3d164030e24d3d121a2df9768a626ce18d9e4649fbc4R352
The part about updating the message sent to the user is kind of complicated as requires to reorganize the whole controller and view.
Success Message is hardcoded and code is a bit complex.

Shall we plan that on another ticket @tibor.pacalat? Thoughts?