Fix 2125

Make the caller responsible to know whether the rate-limit code should be called or not
3 years ago · 7f89a29790
parent 3453d12ccb
commit 7f89a29790
2 changed files with 6 additions and 6 deletions
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@ -31,6 +31,7 @@ def nginx_authentication():
    for key, value in headers.items():
        response.headers[key] = str(value)
    is_valid_user = False
+    is_from_webmail = headers['Auth-Port'] in ['10143', '10025']
    if response.headers.get("Auth-User-Exists"):
        username = response.headers["Auth-User"]
        if utils.limiter.should_rate_limit_user(username, client_ip):
@ -47,7 +48,7 @@ def nginx_authentication():
        utils.limiter.exempt_ip_from_ratelimits(client_ip)
    elif is_valid_user:
        utils.limiter.rate_limit_user(username, client_ip)
-    else:
+    elif not is_from_webmail:
        utils.limiter.rate_limit_ip(client_ip)
    return response

--- a/core/admin/mailu/limiter.py
+++ b/core/admin/mailu/limiter.py
@ -53,11 +53,10 @@ class LimitWraperFactory(object):
        return is_rate_limited

    def rate_limit_ip(self, ip):
-        if ip != app.config['WEBMAIL_ADDRESS']:
-            limiter = self.get_limiter(app.config["AUTH_RATELIMIT_IP"], 'auth-ip')
-            client_network = utils.extract_network_from_ip(ip)
-            if self.is_subject_to_rate_limits(ip):
-                limiter.hit(client_network)
+        limiter = self.get_limiter(app.config["AUTH_RATELIMIT_IP"], 'auth-ip')
+        client_network = utils.extract_network_from_ip(ip)
+        if self.is_subject_to_rate_limits(ip):
+            limiter.hit(client_network)

    def should_rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None):
        limiter = self.get_limiter(app.config["AUTH_RATELIMIT_USER"], 'auth-user')