Commit 435355fb authored by Patrick Bajao's avatar Patrick Bajao

Merge branch 'jl-epic-rate-limit' into 'master'

Count epics against issue creation rate limit

See merge request gitlab-org/gitlab!67179
parents a7762e04 78e7fa44
...@@ -68,7 +68,7 @@ ...@@ -68,7 +68,7 @@
%button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' } %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
= expanded_by_default? ? _('Collapse') : _('Expand') = expanded_by_default? ? _('Collapse') : _('Expand')
%p %p
= _('Limit the number of issues per minute a user can create through web and API requests.') = _('Limit the number of issues and epics per minute a user can create through web and API requests.')
= link_to _('Learn more.'), help_page_path('user/admin_area/settings/rate_limit_on_issues_creation.md'), target: '_blank', rel: 'noopener noreferrer' = link_to _('Learn more.'), help_page_path('user/admin_area/settings/rate_limit_on_issues_creation.md'), target: '_blank', rel: 'noopener noreferrer'
.settings-content .settings-content
= render 'issue_limits' = render 'issue_limits'
......
...@@ -9,7 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w ...@@ -9,7 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28129) in GitLab 12.10. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28129) in GitLab 12.10.
This setting allows you to rate limit the requests to the issue creation endpoint. This setting allows you to rate limit the requests to the issue and epic creation endpoints.
To can change its value: To can change its value:
1. On the top bar, select **Menu >** **{admin}** **Admin**. 1. On the top bar, select **Menu >** **{admin}** **Admin**.
...@@ -22,6 +22,8 @@ For example, if you set a limit of 300, requests using the ...@@ -22,6 +22,8 @@ For example, if you set a limit of 300, requests using the
[Projects::IssuesController#create](https://gitlab.com/gitlab-org/gitlab/raw/master/app/controllers/projects/issues_controller.rb) [Projects::IssuesController#create](https://gitlab.com/gitlab-org/gitlab/raw/master/app/controllers/projects/issues_controller.rb)
action exceeding a rate of 300 per minute are blocked. Access to the endpoint is allowed after one minute. action exceeding a rate of 300 per minute are blocked. Access to the endpoint is allowed after one minute.
When using [epics](../../group/epics/index.md), epic creation will share this rate limit with issues.
![Rate limits on issues creation](img/rate_limit_on_issues_creation_v14_2.png) ![Rate limits on issues creation](img/rate_limit_on_issues_creation_v14_2.png)
This limit is: This limit is:
......
...@@ -17,6 +17,9 @@ class Groups::EpicsController < Groups::ApplicationController ...@@ -17,6 +17,9 @@ class Groups::EpicsController < Groups::ApplicationController
before_action :verify_group_bulk_edit_enabled!, only: [:bulk_update] before_action :verify_group_bulk_edit_enabled!, only: [:bulk_update]
after_action :log_epic_show, only: :show after_action :log_epic_show, only: :show
# Limit the amount of epics created per minute
before_action :create_rate_limit, only: [:create]
before_action do before_action do
push_frontend_feature_flag(:vue_epics_list, @group, type: :development, default_enabled: :yaml) push_frontend_feature_flag(:vue_epics_list, @group, type: :development, default_enabled: :yaml)
push_frontend_feature_flag(:improved_emoji_picker, @group, type: :development, default_enabled: :yaml) push_frontend_feature_flag(:improved_emoji_picker, @group, type: :development, default_enabled: :yaml)
...@@ -130,4 +133,19 @@ class Groups::EpicsController < Groups::ApplicationController ...@@ -130,4 +133,19 @@ class Groups::EpicsController < Groups::ApplicationController
def verify_group_bulk_edit_enabled! def verify_group_bulk_edit_enabled!
render_404 unless group.licensed_feature_available?(:group_bulk_edit) render_404 unless group.licensed_feature_available?(:group_bulk_edit)
end end
def create_rate_limit
# Epics share the issue creation rate limit
key = :issues_create
if rate_limiter.throttled?(key, scope: current_user)
rate_limiter.log_request(request, "#{key}_request_limit".to_sym, current_user)
render plain: _('This endpoint has been requested too many times. Try again later.'), status: :too_many_requests
end
end
def rate_limiter
::Gitlab::ApplicationRateLimiter
end
end end
...@@ -483,6 +483,36 @@ RSpec.describe Groups::EpicsController do ...@@ -483,6 +483,36 @@ RSpec.describe Groups::EpicsController do
expect(Epic.count).to eq(0) expect(Epic.count).to eq(0)
end end
end end
context 'when the endpoint receives requests above the limit' do
before do
stub_application_setting(issues_create_limit: 5)
end
it 'prevents from creating more epics', :request_store do
5.times { post :create, params: { group_id: group, epic: { title: 'new epic', description: 'description' } } }
post :create, params: { group_id: group, epic: { title: 'new epic', description: 'description' } }
expect(response.body).to eq(_('This endpoint has been requested too many times. Try again later.'))
expect(response).to have_gitlab_http_status(:too_many_requests)
end
it 'logs the event on auth.log' do
attributes = {
message: 'Application_Rate_Limiter_Request',
env: :issues_create_request_limit,
remote_ip: '0.0.0.0',
request_method: 'POST',
path: group_epics_path(group),
user_id: user.id,
username: user.username
}
expect(Gitlab::AuthLogger).to receive(:error).with(attributes).once
6.times { post :create, params: { group_id: group, epic: { title: 'new epic', description: 'description' } } }
end
end
end end
context 'with unauthorized user' do context 'with unauthorized user' do
......
...@@ -19983,7 +19983,7 @@ msgstr "" ...@@ -19983,7 +19983,7 @@ msgstr ""
msgid "Limit the number of concurrent operations this secondary node can run in the background." msgid "Limit the number of concurrent operations this secondary node can run in the background."
msgstr "" msgstr ""
msgid "Limit the number of issues per minute a user can create through web and API requests." msgid "Limit the number of issues and epics per minute a user can create through web and API requests."
msgstr "" msgstr ""
msgid "Limited to showing %d event at most" msgid "Limited to showing %d event at most"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment