Merge pull request #24636 from frappe/mergify/bp/version-15-hotfix/pr…

…-24634 fix: make rate_limiter respect multitenancy (backport #24634)
frappe · Jan 31, 2024 · 9c1ed0b · 9c1ed0b
2 parents bc57297 + d25bfd9
commit 9c1ed0b
Show file tree

Hide file tree

Showing 4 changed files with 3 additions and 4 deletions.
diff --git a/frappe/core/doctype/server_script/test_server_script.py b/frappe/core/doctype/server_script/test_server_script.py
@@ -238,7 +238,6 @@ def test_scripts_all_the_way_down(self):
 		script.execute_method()
 
 	def test_server_script_rate_limiting(self):
-		# why not
 		script1 = frappe.get_doc(
 			doctype="Server Script",
 			name="rate_limited_server_script",

diff --git a/frappe/core/doctype/user/user.py b/frappe/core/doctype/user/user.py
@@ -1018,7 +1018,7 @@ def sign_up(email: str, full_name: str, redirect_to: str) -> tuple[int, str]:
 
 
 @frappe.whitelist(allow_guest=True)
-@rate_limit(limit=get_password_reset_limit, seconds=24 * 60 * 60)
+@rate_limit(limit=get_password_reset_limit, seconds=60 * 60)
 def reset_password(user: str) -> str:
 	if user == "Administrator":
 		return "not allowed"

diff --git a/frappe/rate_limiter.py b/frappe/rate_limiter.py
@@ -137,7 +137,7 @@ def wrapper(*args, **kwargs):
 			if not identity:
 				frappe.throw(_("Either key or IP flag is required."))
 
-			cache_key = f"rl:{frappe.form_dict.cmd}:{identity}"
+			cache_key = frappe.cache.make_key(f"rl:{frappe.form_dict.cmd}:{identity}")
 
 			value = frappe.cache.get(cache_key) or 0
 			if not value:

diff --git a/frappe/utils/password.py b/frappe/utils/password.py
@@ -215,4 +215,4 @@ def get_encryption_key():
 
 
 def get_password_reset_limit():
-	return frappe.db.get_single_value("System Settings", "password_reset_limit") or 0
+	return frappe.get_system_settings("password_reset_limit") or 3