1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-21 22:32:41 +01:00

Tweak rate limiting point counts for omnipotent users

Summary:
Ref T13008. We haven't hit any issues with this, but I can imagine we might in the future.

When one host makes an intracluster request to another host, the `$viewer` ends up as the omnipotent viewer. This viewer isn't logged in, so they'll currently accumulate rate limit points at a high rate.

Instead, don't give them any points. These requests are always legitimate, and if they originated from a user request, that request should be the one getting rate limited.

Test Plan: Browsed around.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13008

Differential Revision: https://secure.phabricator.com/D18708
This commit is contained in:
epriestley 2017-10-14 07:58:23 -07:00
parent 0e645b8f11
commit 819b833607

View file

@ -35,7 +35,15 @@ final class PhabricatorClientRateLimit
// If the user was logged in, let them make more requests.
if (isset($request_state['viewer'])) {
$viewer = $request_state['viewer'];
if ($viewer->isLoggedIn()) {
if ($viewer->isOmnipotent()) {
// If the viewer was omnipotent, this was an intracluster request or
// some other kind of special request, so don't give it any points
// toward rate limiting.
$score = 0;
} else if ($viewer->isLoggedIn()) {
// If the viewer was logged in, give them fewer points than if they
// were logged out, since this traffic is much more likely to be
// legitimate.
$score = 0.25;
}
}