Commit d2b2e94e authored by Pavel Shutsin's avatar Pavel Shutsin

Merge branch 'fix-project-export-download-rate-limit-api' into 'master'

Apply scope fix for throttling project export downloads to the API

See merge request gitlab-org/gitlab!84754
parents 750f979e 08f8c37b
...@@ -25,7 +25,7 @@ module API ...@@ -25,7 +25,7 @@ module API
detail 'This feature was introduced in GitLab 10.6.' detail 'This feature was introduced in GitLab 10.6.'
end end
get ':id/export/download' do get ':id/export/download' do
check_rate_limit! :project_download_export, scope: [current_user, user_project] check_rate_limit! :project_download_export, scope: [current_user, user_project.namespace]
if user_project.export_file_exists? if user_project.export_file_exists?
if user_project.export_archive_exists? if user_project.export_archive_exists?
......
...@@ -260,6 +260,29 @@ RSpec.describe API::ProjectExport, :clean_gitlab_redis_cache do ...@@ -260,6 +260,29 @@ RSpec.describe API::ProjectExport, :clean_gitlab_redis_cache do
expect(json_response['message']['error']).to eq('This endpoint has been requested too many times. Try again later.') expect(json_response['message']['error']).to eq('This endpoint has been requested too many times. Try again later.')
end end
end end
context 'applies correct scope when throttling' do
before do
stub_application_setting(project_download_export_limit: 1)
end
it 'throttles downloads within same namespaces' do
# simulate prior request to the same namespace, which increments the rate limit counter for that scope
Gitlab::ApplicationRateLimiter.throttled?(:project_download_export, scope: [user, project_finished.namespace])
get api(download_path_finished, user)
expect(response).to have_gitlab_http_status(:too_many_requests)
end
it 'allows downloads from different namespaces' do
# simulate prior request to a different namespace, which increments the rate limit counter for that scope
Gitlab::ApplicationRateLimiter.throttled?(:project_download_export,
scope: [user, create(:project, :with_export).namespace])
get api(download_path_finished, user)
expect(response).to have_gitlab_http_status(:ok)
end
end
end end
context 'when user is a maintainer' do context 'when user is a maintainer' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment