Merge branch 'jl-epic-rate-limit' into 'master'

Count epics against issue creation rate limit See merge request gitlab-org/gitlab!67179

Merge branch 'jl-epic-rate-limit' into 'master'
Count epics against issue creation rate limit See merge request gitlab-org/gitlab!67179
435355fb · Patrick Bajao · a7762e04 · 78e7fa44 · 435355fb · 435355fb
Commit 435355fb authored Aug 12, 2021 by Patrick Bajao
5 changed files
--- a/app/views/admin/application_settings/network.html.haml
+++ b/app/views/admin/application_settings/network.html.haml
@@ -68,7 +68,7 @@
    %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
      = expanded_by_default? ? _('Collapse') : _('Expand')
    %p
-      = _('Limit the number of issues per minute a user can create through web and API requests.')
+      = _('Limit the number of issues and epics per minute a user can create through web and API requests.')
      = link_to _('Learn more.'), help_page_path('user/admin_area/settings/rate_limit_on_issues_creation.md'), target: '_blank', rel: 'noopener noreferrer'
  .settings-content
    = render 'issue_limits'

--- a/doc/user/admin_area/settings/rate_limit_on_issues_creation.md
+++ b/doc/user/admin_area/settings/rate_limit_on_issues_creation.md
@@ -9,7 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w

 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28129) in GitLab 12.10.

-This setting allows you to rate limit the requests to the issue creation endpoint.
+This setting allows you to rate limit the requests to the issue and epic creation endpoints.
 To can change its value:

 1. On the top bar, select **Menu >** **{admin}** **Admin**.
@@ -22,6 +22,8 @@ For example, if you set a limit of 300, requests using the
 [Projects::IssuesController#create](https://gitlab.com/gitlab-org/gitlab/raw/master/app/controllers/projects/issues_controller.rb)
 action exceeding a rate of 300 per minute are blocked. Access to the endpoint is allowed after one minute.

+When using [epics](../../group/epics/index.md), epic creation will share this rate limit with issues.
+
 ![Rate limits on issues creation](img/rate_limit_on_issues_creation_v14_2.png)

 This limit is:

--- a/ee/app/controllers/groups/epics_controller.rb
+++ b/ee/app/controllers/groups/epics_controller.rb
@@ -17,6 +17,9 @@ class Groups::EpicsController < Groups::ApplicationController
  before_action :verify_group_bulk_edit_enabled!, only: [:bulk_update]
  after_action :log_epic_show, only: :show

+  # Limit the amount of epics created per minute
+  before_action :create_rate_limit, only: [:create]
+
  before_action do
    push_frontend_feature_flag(:vue_epics_list, @group, type: :development, default_enabled: :yaml)
    push_frontend_feature_flag(:improved_emoji_picker, @group, type: :development, default_enabled: :yaml)
@@ -130,4 +133,19 @@ class Groups::EpicsController < Groups::ApplicationController
  def verify_group_bulk_edit_enabled!
    render_404 unless group.licensed_feature_available?(:group_bulk_edit)
  end
+
+  def create_rate_limit
+    # Epics share the issue creation rate limit
+    key = :issues_create
+
+    if rate_limiter.throttled?(key, scope: current_user)
+      rate_limiter.log_request(request, "#{key}_request_limit".to_sym, current_user)
+
+      render plain: _('This endpoint has been requested too many times. Try again later.'), status: :too_many_requests
+    end
+  end
+
+  def rate_limiter
+    ::Gitlab::ApplicationRateLimiter
+  end
 end
--- a/ee/spec/controllers/groups/epics_controller_spec.rb
+++ b/ee/spec/controllers/groups/epics_controller_spec.rb
@@ -483,6 +483,36 @@ RSpec.describe Groups::EpicsController do
            expect(Epic.count).to eq(0)
          end
        end
+
+        context 'when the endpoint receives requests above the limit' do
+          before do
+            stub_application_setting(issues_create_limit: 5)
+          end
+
+          it 'prevents from creating more epics', :request_store do
+            5.times { post :create, params: { group_id: group, epic: { title: 'new epic', description: 'description' } } }
+
+            post :create, params: { group_id: group, epic: { title: 'new epic', description: 'description' } }
+            expect(response.body).to eq(_('This endpoint has been requested too many times. Try again later.'))
+            expect(response).to have_gitlab_http_status(:too_many_requests)
+          end
+
+          it 'logs the event on auth.log' do
+            attributes = {
+              message: 'Application_Rate_Limiter_Request',
+              env: :issues_create_request_limit,
+              remote_ip: '0.0.0.0',
+              request_method: 'POST',
+              path: group_epics_path(group),
+              user_id: user.id,
+              username: user.username
+            }
+
+            expect(Gitlab::AuthLogger).to receive(:error).with(attributes).once
+
+            6.times { post :create, params: { group_id: group, epic: { title: 'new epic', description: 'description' } } }
+          end
+        end
      end

      context 'with unauthorized user' do

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -19983,7 +19983,7 @@ msgstr ""
 msgid "Limit the number of concurrent operations this secondary node can run in the background."
 msgstr ""

-msgid "Limit the number of issues per minute a user can create through web and API requests."
+msgid "Limit the number of issues and epics per minute a user can create through web and API requests."
 msgstr ""

 msgid "Limited to showing %d event at most"