fix(files_sharing): rate limit share creation 40 times per 10 minutes#57666
fix(files_sharing): rate limit share creation 40 times per 10 minutes#57666biredel wants to merge 2 commits intonextcloud:masterfrom
Conversation
Was unlimited before nextcloud#50905 setting to 20/600s which proved to be too low for some legitimate human actions, e.g. chat messages with attachments in Talk. Fix that by bumping to some arbitrary higher value, until some clearer justification for having it lower or higher is determined. Signed-off-by: biredel <67849440+biredel@users.noreply.github.com>
| */ | ||
| #[NoAdminRequired] | ||
| #[UserRateLimit(limit: 20, period: 600)] | ||
| #[UserRateLimit(limit: 200, period: 600)] |
There was a problem hiding this comment.
Maximum I can see in a code base would be 40 / 600
If you really need more, that's instance specific and you can use the ratelimit overwrite to change it in your installation:
https://github.com/nextcloud/server/blob/master/config/config.sample.php#L476-L498
There was a problem hiding this comment.
What purpose would failing the cheap 3rd operation serve, after permitting the expensive ones (upload+thumbnail)? This was originally to protect the server from overload, no?
Maximum I can see in a code base would be 40 / 600
Copied into PR, but warrants further discussion.
The scenario where I noticed this is people in a group chat taking a bunch of photos and pasting them into the chat. Because each attachments is shared separately even when multiple are selected in one operation, the new limit on share creation acts as a per-file and not per-message limit. Changing it to use folders would allow for lower limits than what I suggest here without affecting legitimate human usage; but that did not look quite as trivial to implement in the spreed app, so some stop-gap is needed.
There was a problem hiding this comment.
after permitting the expensive ones (upload+thumbnail)?
It's less that, but more the "you can spam users and guests with notifications and emails".
no goal stated; just copied from review comment Signed-off-by: biredel <67849440+biredel@users.noreply.github.com>
|
Hello there, We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process. Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6 Thank you for contributing to Nextcloud and we hope to hear from you soon! (If you believe you should not receive this message, you can add yourself to the blocklist.) |
Share creation was unlimited before #50905 setting to 20/600s. That proved to be too low for (integration tests, and more crucially) some legitimate human actions, e.g. chat messages with attachments in Talk.
Checklist
3. to review, feature component)stable32)