Merge pull request #21935 from frappe/mergify/bp/version-13-hotfix/pr…

…-21929 fix: rate limit for all HTTP methods (backport #21929)
frappe · Aug 21, 2023 · dd75f6c · dd75f6c
2 parents ee1fb91 + 83c9725
commit dd75f6c
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 2 deletions.
diff --git a/frappe/core/doctype/user/test_user.py b/frappe/core/doctype/user/test_user.py
@@ -361,6 +361,9 @@ def test_reset_password(self):
 		set_request(path="/random")
 		frappe.local.cookie_manager = CookieManager()
 		frappe.local.login_manager = LoginManager()
+		# used by rate limiter when calling reset_password
+		frappe.local.request_ip = "127.0.0.69"
+		frappe.db.set_single_value("System Settings", "password_reset_limit", 6)
 
 		frappe.set_user("testpassword@example.com")
 		test_user = frappe.get_doc("User", "testpassword@example.com")

diff --git a/frappe/core/doctype/user/user.py b/frappe/core/doctype/user/user.py
@@ -869,7 +869,7 @@ def sign_up(email, full_name, redirect_to):
 
 
 @frappe.whitelist(allow_guest=True)
-@rate_limit(limit=get_password_reset_limit, seconds=24 * 60 * 60, methods=["POST"])
+@rate_limit(limit=get_password_reset_limit, seconds=24 * 60 * 60)
 def reset_password(user):
 	if user == "Administrator":
 		return "not allowed"

diff --git a/frappe/website/doctype/web_form/web_form.py b/frappe/website/doctype/web_form/web_form.py
@@ -412,7 +412,7 @@ def get_web_form_module(doc):
 
 
 @frappe.whitelist(allow_guest=True)
-@rate_limit(key="web_form", limit=5, seconds=60, methods=["POST"])
+@rate_limit(key="web_form", limit=5, seconds=60)
 def accept(web_form, data, for_payment=False):
 	"""Save the web form"""
 	data = frappe._dict(json.loads(data))