Add ratelimit to AccessToken, SSH Keys, User creation

rdiffweb/controller/page_admin_users.py

@@ -265,7 +265,8 @@ def index(self):
             ldap_enabled=self.app.cfg.ldap_uri,
         )
 
-    @cherrypy.expose()
+    @cherrypy.expose
+    @cherrypy.tools.ratelimit(methods=['POST'])
     def new(self, **kwargs):
         form = UserForm()
         if form.is_submitted():
@@ -282,7 +283,7 @@ def new(self, **kwargs):
                 flash(form.error_message, level='error')
         return self._compile_template("admin_user_new.html", form=form)
 
-    @cherrypy.expose()
+    @cherrypy.expose
     def edit(self, username_vpath, **kwargs):
         user = UserObject.get_user(username_vpath)
         if not user:
@@ -297,7 +298,7 @@ def edit(self, username_vpath, **kwargs):
                 flash(form.error_message, level='error')
         return self._compile_template("admin_user_edit.html", form=form)
 
-    @cherrypy.expose()
+    @cherrypy.expose
     def delete(self, username=None, **kwargs):
         # Validate form method.
         form = DeleteUserForm()
@@ -320,6 +321,3 @@ def delete(self, username=None, **kwargs):
         else:
             flash(form.error_message, level='error')
         raise cherrypy.HTTPRedirect(url_for('admin', 'users'))
-
-
-# TODO Allow configuration of notification settigns

rdiffweb/controller/page_pref_sshkeys.py

@@ -115,6 +115,7 @@ def populate_obj(self, userobj):
 
 class PagePrefSshKeys(Controller):
     @cherrypy.expose
+    @cherrypy.tools.ratelimit(methods=['POST'])
     def default(self, **kwargs):
         # Handle action
         add_form = SshForm()

rdiffweb/controller/page_pref_tokens.py

@@ -119,6 +119,7 @@ def populate_obj(self, userobj):
 
 class PagePrefTokens(Controller):
     @cherrypy.expose
+    @cherrypy.tools.ratelimit(methods=['POST'])
     def default(self, **kwargs):
         form = TokenForm()
         delete_form = DeleteTokenForm()