Throttle media post (#7337)

The previous rate limit allowed to post media so fast that it is possible to fill up the disk space even before an administrator notices. The new rate limit is configured so that it takes 24 hours to eat 10 gigabytes: 10 * 1024 / 8 / (24 * 60 / 30) = 27 (which rounded to 30) The period is set long so that it does not prevent from attaching several media to one post, which would happen in a short period. For example, if the period is 5 minutes, the rate limit would be: 10 * 1024 / 8 / (24 * 60 / 5) = 4 This long period allows to lift the limit up.
author: Akihiko Odaki <akihiko.odaki.4i@stu.hosei.ac.jp> 2018-05-04 00:32:00 +0900
committer: Eugen Rochko <eugen@zeonfederated.com> 2018-05-03 17:32:00 +0200
commit: b1d4471e36830aa7dc4425ff6c48035a95c9367a (patch)
tree: 1a81358c283066d05ba1dba60e908537260ae167 /config/initializers/rack_attack.rb
parent: 7495a3470e7d2df139facacf24eca787f3422569 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index b35452f04..310052e9c 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -53,6 +53,10 @@ class Rack::Attack
     req.ip if req.api_request?
   end
 
+  throttle('throttle_media', limit: 30, period: 30.minutes) do |req|
+    req.authenticated_user_id if req.post? && req.path.start_with('/api/v1/media')
+  end
+
   throttle('protected_paths', limit: 25, period: 5.minutes) do |req|
     req.ip if req.post? && req.path =~ PROTECTED_PATHS_REGEX
   end
author	Akihiko Odaki <akihiko.odaki.4i@stu.hosei.ac.jp>	2018-05-04 00:32:00 +0900
committer	Eugen Rochko <eugen@zeonfederated.com>	2018-05-03 17:32:00 +0200
commit	b1d4471e36830aa7dc4425ff6c48035a95c9367a (patch)
tree	1a81358c283066d05ba1dba60e908537260ae167 /config/initializers/rack_attack.rb
parent	7495a3470e7d2df139facacf24eca787f3422569 (diff)