Commit 37c0084c authored by Magdalena Frankiewicz's avatar Magdalena Frankiewicz

Remove rate_limit_user_by_id_endpoint feature flag

Enforce rate limit of API endpoint /api/v4/users/:id
of maximum 300 calls per 10 minutes per logged-in user,
unless user is an admin or on the allowlist

Changelog: added
parent 2a40aa33
---
name: rate_limit_user_by_id_endpoint
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73069
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/348796
milestone: '14.6'
type: development
group: group::optimize
default_enabled: false
......@@ -142,13 +142,11 @@ module API
get ":id", feature_category: :users do
forbidden!('Not authorized!') unless current_user
if Feature.enabled?(:rate_limit_user_by_id_endpoint, type: :development)
unless current_user.admin?
check_rate_limit!(:users_get_by_id,
scope: current_user,
users_allowlist: Gitlab::CurrentSettings.current_application_settings.users_get_by_id_limit_allowlist
)
end
unless current_user.admin?
check_rate_limit!(:users_get_by_id,
scope: current_user,
users_allowlist: Gitlab::CurrentSettings.current_application_settings.users_get_by_id_limit_allowlist
)
end
user = User.find_by(id: params[:id])
......
......@@ -649,20 +649,6 @@ RSpec.describe API::Users do
expect(response).to have_gitlab_http_status(:ok)
end
end
context 'when feature flag is disabled' do
before do
stub_feature_flags(rate_limit_user_by_id_endpoint: false)
end
it 'does not throttle the request' do
expect(Gitlab::ApplicationRateLimiter).not_to receive(:throttled?)
get api("/users/#{user.id}", user)
expect(response).to have_gitlab_http_status(:ok)
end
end
end
context 'when job title is present' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment