From 7f89a297900f39182bedb2076ca710e18af29782 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 3 Jan 2022 13:38:21 +0100 Subject: [PATCH] Fix 2125 Make the caller responsible to know whether the rate-limit code should be called or not --- core/admin/mailu/internal/views/auth.py | 3 ++- core/admin/mailu/limiter.py | 9 ++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py index 270b5cdf..3626bad5 100644 --- a/core/admin/mailu/internal/views/auth.py +++ b/core/admin/mailu/internal/views/auth.py @@ -31,6 +31,7 @@ def nginx_authentication(): for key, value in headers.items(): response.headers[key] = str(value) is_valid_user = False + is_from_webmail = headers['Auth-Port'] in ['10143', '10025'] if response.headers.get("Auth-User-Exists"): username = response.headers["Auth-User"] if utils.limiter.should_rate_limit_user(username, client_ip): @@ -47,7 +48,7 @@ def nginx_authentication(): utils.limiter.exempt_ip_from_ratelimits(client_ip) elif is_valid_user: utils.limiter.rate_limit_user(username, client_ip) - else: + elif not is_from_webmail: utils.limiter.rate_limit_ip(client_ip) return response diff --git a/core/admin/mailu/limiter.py b/core/admin/mailu/limiter.py index 3bc65f4f..be4199d2 100644 --- a/core/admin/mailu/limiter.py +++ b/core/admin/mailu/limiter.py @@ -53,11 +53,10 @@ class LimitWraperFactory(object): return is_rate_limited def rate_limit_ip(self, ip): - if ip != app.config['WEBMAIL_ADDRESS']: - limiter = self.get_limiter(app.config["AUTH_RATELIMIT_IP"], 'auth-ip') - client_network = utils.extract_network_from_ip(ip) - if self.is_subject_to_rate_limits(ip): - limiter.hit(client_network) + limiter = self.get_limiter(app.config["AUTH_RATELIMIT_IP"], 'auth-ip') + client_network = utils.extract_network_from_ip(ip) + if self.is_subject_to_rate_limits(ip): + limiter.hit(client_network) def should_rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None): limiter = self.get_limiter(app.config["AUTH_RATELIMIT_USER"], 'auth-user')