Tweak rate limiting point counts for omnipotent users

Summary: Ref T13008. We haven't hit any issues with this, but I can imagine we might in the future. When one host makes an intracluster request to another host, the `$viewer` ends up as the omnipotent viewer. This viewer isn't logged in, so they'll currently accumulate rate limit points at a high rate. Instead, don't give them any points. These requests are always legitimate, and if they originated from a user request, that request should be the one getting rate limited. Test Plan: Browsed around. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13008 Differential Revision: https://secure.phabricator.com/D18708
2024-11-21 14:22:41 +01:00 · 2017-10-14 07:58:23 -07:00 · 2017-10-14 07:58:23 -07:00 · 819b833607
commit 819b833607
parent 0e645b8f11
1 changed files with 9 additions and 1 deletions
--- a/support/startup/PhabricatorClientRateLimit.php
+++ b/support/startup/PhabricatorClientRateLimit.php
@ -35,7 +35,15 @@ final class PhabricatorClientRateLimit
    // If the user was logged in, let them make more requests.
    if (isset($request_state['viewer'])) {
      $viewer = $request_state['viewer'];
-      if ($viewer->isLoggedIn()) {
+      if ($viewer->isOmnipotent()) {
+        // If the viewer was omnipotent, this was an intracluster request or
+        // some other kind of special request, so don't give it any points
+        // toward rate limiting.
+        $score = 0;
+      } else if ($viewer->isLoggedIn()) {
+        // If the viewer was logged in, give them fewer points than if they
+        // were logged out, since this traffic is much more likely to be
+        // legitimate.
        $score = 0.25;
      }
    }