🔒️(backend) configure throttle on every viewsets

We want to configure the throttle on all doc's viewsets. In order to monitor them, we use the MonitoredScopedRateThrottle class and a custom callback caputing the message in sentry at the warning level.
2025-09-05 15:29:08 +02:00
parent 179a84150b
commit 0ac9f059b6
12 changed files with 235 additions and 13 deletions
--- a/src/backend/core/tests/documents/test_api_document_accesses.py
+++ b/src/backend/core/tests/documents/test_api_document_accesses.py
@@ -4,6 +4,7 @@ Test document accesses API endpoints for users in impress's core app.
 # pylint: disable=too-many-lines

 import random
+from unittest import mock
 from uuid import uuid4

 import pytest
@@ -1344,3 +1345,24 @@ def test_api_document_accesses_delete_owners_last_owner_child_team(

    assert response.status_code == 204
    assert models.DocumentAccess.objects.count() == 1
+
+
+def test_api_document_accesses_throttling(settings):
+    """Test api document accesses throttling."""
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["document_access"] = "2/minute"
+    user = factories.UserFactory()
+    document = factories.DocumentFactory()
+    factories.UserDocumentAccessFactory(
+        document=document, user=user, role="administrator"
+    )
+    client = APIClient()
+    client.force_login(user)
+    for _i in range(2):
+        response = client.get(f"/api/v1.0/documents/{document.id!s}/accesses/")
+        assert response.status_code == 200
+    with mock.patch("core.api.throttling.capture_message") as mock_capture_message:
+        response = client.get(f"/api/v1.0/documents/{document.id!s}/accesses/")
+        assert response.status_code == 429
+        mock_capture_message.assert_called_once_with(
+            "Rate limit exceeded for scope document_access", "warning"
+        )
--- a/src/backend/core/tests/documents/test_api_document_invitations.py
+++ b/src/backend/core/tests/documents/test_api_document_invitations.py
@@ -824,3 +824,29 @@ def test_api_document_invitations_delete_readers_or_editors(via, role, mock_user
        response.json()["detail"]
        == "You do not have permission to perform this action."
    )
+
+
+def test_api_document_invitations_throttling(settings):
+    """Test api document ask for access throttling."""
+    current_rate = settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["invitation"]
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["invitation"] = "2/minute"
+    user = factories.UserFactory()
+    document = factories.DocumentFactory()
+
+    factories.UserDocumentAccessFactory(document=document, user=user, role="owner")
+
+    factories.InvitationFactory(document=document, issuer=user)
+
+    client = APIClient()
+    client.force_login(user)
+
+    for _i in range(2):
+        response = client.get(f"/api/v1.0/documents/{document.id}/invitations/")
+        assert response.status_code == 200
+    with mock.patch("core.api.throttling.capture_message") as mock_capture_message:
+        response = client.get(f"/api/v1.0/documents/{document.id}/invitations/")
+        assert response.status_code == 429
+        mock_capture_message.assert_called_once_with(
+            "Rate limit exceeded for scope invitation", "warning"
+        )
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["invitation"] = current_rate
--- a/src/backend/core/tests/documents/test_api_documents_ask_for_access.py
+++ b/src/backend/core/tests/documents/test_api_documents_ask_for_access.py
@@ -1,6 +1,7 @@
 """Test API for document ask for access."""

 import uuid
+from unittest import mock

 from django.core import mail

@@ -768,3 +769,35 @@ def test_api_documents_ask_for_access_accept_authenticated_non_root_document(rol
        f"/api/v1.0/documents/{child.id}/ask-for-access/{document_ask_for_access.id}/accept/"
    )
    assert response.status_code == 404
+
+
+def test_api_document_ask_for_access_throttling(settings):
+    """Test api document ask for access throttling."""
+    current_rate = settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"][
+        "document_ask_for_access"
+    ]
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["document_ask_for_access"] = (
+        "2/minute"
+    )
+    document = DocumentFactory()
+    DocumentAskForAccessFactory.create_batch(
+        3, document=document, role=RoleChoices.READER
+    )
+
+    user = UserFactory()
+
+    client = APIClient()
+    client.force_login(user)
+
+    for _i in range(2):
+        response = client.get(f"/api/v1.0/documents/{document.id}/ask-for-access/")
+        assert response.status_code == 200
+    with mock.patch("core.api.throttling.capture_message") as mock_capture_message:
+        response = client.get(f"/api/v1.0/documents/{document.id}/ask-for-access/")
+        assert response.status_code == 429
+        mock_capture_message.assert_called_once_with(
+            "Rate limit exceeded for scope document_ask_for_access", "warning"
+        )
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["document_ask_for_access"] = (
+        current_rate
+    )
--- a/src/backend/core/tests/documents/test_api_documents_list.py
+++ b/src/backend/core/tests/documents/test_api_documents_list.py
@@ -427,3 +427,20 @@ def test_api_documents_list_favorites_no_extra_queries(django_assert_num_queries
            assert result["is_favorite"] is True
        else:
            assert result["is_favorite"] is False
+
+
+def test_api_documents_list_throttling(settings):
+    """Test api documents throttling."""
+    current_rate = settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["document"]
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["document"] = "2/minute"
+    client = APIClient()
+    for _i in range(2):
+        response = client.get("/api/v1.0/documents/")
+        assert response.status_code == 200
+    with mock.patch("core.api.throttling.capture_message") as mock_capture_message:
+        response = client.get("/api/v1.0/documents/")
+        assert response.status_code == 429
+        mock_capture_message.assert_called_once_with(
+            "Rate limit exceeded for scope document", "warning"
+        )
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["document"] = current_rate
--- a/src/backend/core/tests/templates/test_api_template_accesses.py
+++ b/src/backend/core/tests/templates/test_api_template_accesses.py
@@ -3,6 +3,7 @@ Test template accesses API endpoints for users in impress's core app.
 """

 import random
+from unittest import mock
 from uuid import uuid4

 import pytest
@@ -773,3 +774,26 @@ def test_api_template_accesses_delete_owners_last_owner(via, mock_user_teams):

    assert response.status_code == 403
    assert models.TemplateAccess.objects.count() == 2
+
+
+def test_api_template_accesses_throttling(settings):
+    """Test api template accesses throttling."""
+    current_rate = settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["template_access"]
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["template_access"] = "2/minute"
+    template = factories.TemplateFactory()
+    user = factories.UserFactory()
+    factories.UserTemplateAccessFactory(
+        template=template, user=user, role="administrator"
+    )
+    client = APIClient()
+    client.force_login(user)
+    for _i in range(2):
+        response = client.get(f"/api/v1.0/templates/{template.id!s}/accesses/")
+        assert response.status_code == 200
+    with mock.patch("core.api.throttling.capture_message") as mock_capture_message:
+        response = client.get(f"/api/v1.0/templates/{template.id!s}/accesses/")
+        assert response.status_code == 429
+        mock_capture_message.assert_called_once_with(
+            "Rate limit exceeded for scope template_access", "warning"
+        )
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["template_access"] = current_rate
--- a/src/backend/core/tests/templates/test_api_templates_list.py
+++ b/src/backend/core/tests/templates/test_api_templates_list.py
@@ -218,3 +218,20 @@ def test_api_templates_list_order_param():
    assert response_template_ids == templates_ids, (
        "created_at values are not sorted from oldest to newest"
    )
+
+
+def test_api_template_throttling(settings):
+    """Test api template throttling."""
+    current_rate = settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["template"]
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["template"] = "2/minute"
+    client = APIClient()
+    for _i in range(2):
+        response = client.get("/api/v1.0/templates/")
+        assert response.status_code == 200
+    with mock.patch("core.api.throttling.capture_message") as mock_capture_message:
+        response = client.get("/api/v1.0/templates/")
+        assert response.status_code == 429
+        mock_capture_message.assert_called_once_with(
+            "Rate limit exceeded for scope template", "warning"
+        )
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["template"] = current_rate
--- a/src/backend/core/tests/test_api_config.py
+++ b/src/backend/core/tests/test_api_config.py
@@ -3,6 +3,7 @@ Test config API endpoints in the Impress core app.
 """

 import json
+from unittest.mock import patch

 from django.test import override_settings

@@ -174,3 +175,20 @@ def test_api_config_with_original_theme_customization(is_authenticated, settings
        theme_customization = json.load(f)

    assert content["theme_customization"] == theme_customization
+
+
+def test_api_config_throttling(settings):
+    """Test api config throttling."""
+    current_rate = settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["config"]
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["config"] = "2/minute"
+    client = APIClient()
+    for _i in range(2):
+        response = client.get("/api/v1.0/config/")
+        assert response.status_code == 200
+    with patch("core.api.throttling.capture_message") as mock_capture_message:
+        response = client.get("/api/v1.0/config/")
+        assert response.status_code == 429
+        mock_capture_message.assert_called_once_with(
+            "Rate limit exceeded for scope config", "warning"
+        )
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["config"] = current_rate