Modify archive rate limit to throttle by user

In the previous implementation, an unauthenticated user attempting to download the archive repeatedly would interfere with authenticated users. To avoid that, we increase the scope of the limiter to include the user.

Modify archive rate limit to throttle by user
In the previous implementation, an unauthenticated user attempting to download the archive repeatedly would interfere with authenticated users. To avoid that, we increase the scope of the limiter to include the user.
69a37bc7 · Stan Hu · 01b90fc7 · 69a37bc7 · 69a37bc7
Commit 69a37bc7 authored Feb 22, 2020 by Stan Hu
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

lib/gitlab/rate_limit_helpers.rb lib/gitlab/rate_limit_helpers.rb +1 -1

spec/lib/gitlab/rate_limit_helpers_spec.rb spec/lib/gitlab/rate_limit_helpers_spec.rb +1 -0

No files found.
--- a/lib/gitlab/rate_limit_helpers.rb
+++ b/lib/gitlab/rate_limit_helpers.rb
@@ -11,7 +11,7 @@ module Gitlab

      key = ARCHIVE_RATE_THROTTLE_KEY

-      if rate_limiter.throttled?(key, scope: [project], threshold: archive_rate_threshold_by_user(user))
+      if rate_limiter.throttled?(key, scope: [project, user], threshold: archive_rate_threshold_by_user(user))
        rate_limiter.log_request(request, "#{key}_request_limit".to_sym, user)

        return true

--- a/spec/lib/gitlab/rate_limit_helpers_spec.rb
+++ b/spec/lib/gitlab/rate_limit_helpers_spec.rb
@@ -43,6 +43,7 @@ describe Gitlab::RateLimitHelpers, :clean_gitlab_redis_shared_state do
        end

        expect(class_instance.archive_rate_limit_reached?(nil, project)).to be_truthy
+        expect(class_instance.archive_rate_limit_reached?(user, project)).to be_falsey
      end
    end
  end