Merge pull request #1331 from glogiotatidis/issue-1186-rate-limit

[Fix #1186] Rate limit public job list view.
mozmeao · Feb 28, 2020 · 47d02ae · 47d02ae
2 parents 24f9185 + cbfad75
commit 47d02ae
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 3 deletions.
diff --git a/requirements.txt b/requirements.txt
@@ -505,3 +505,6 @@ redash-dynamic-query==1.0.4 \
     --hash=sha256:d2756ad2f7fd21f33cbf8c751ec3fccaf9ad350a27b968cd56b3d1783650b5f9
 pystache==0.5.4 \
     --hash=sha256:f7bbc265fb957b4d6c7c042b336563179444ab313fb93a719759111eabd3b85a
+django-ratelimit==2.0.0 \
+    --hash=sha256:40dd23dcdda413d2199bb88b4d9151bf66ea19586b2047ada313ddcf77e2959c \
+    --hash=sha256:ddb6bd68a7a25fab335a0441671681ce9993167e640a2301a2e0e07ce9dd46fb
diff --git a/snippets/base/templates/base/ratelimited.jinja b/snippets/base/templates/base/ratelimited.jinja
@@ -0,0 +1,13 @@
+{% extends 'base/base.jinja' %}
+{% block headextras %}
+  <style>
+   #heart {
+       color: Orange;
+   }
+  </style>
+{% endblock %}
+{% block content %}
+  <p>
+    Slow down, you 're browsing this site too fast! Try again in a few minutes.
+  </p>
+{% endblock %}
diff --git a/snippets/base/views.py b/snippets/base/views.py
@@ -17,6 +17,7 @@
 import sentry_sdk
 from django_filters.views import FilterView
 from django_statsd.clients import statsd
+from ratelimit.decorators import ratelimit
 
 from snippets.base import util
 from snippets.base.bundles import ASRSnippetBundle, SnippetBundle
@@ -35,8 +36,20 @@ class HomeView(TemplateView):
     template_name = 'base/home.jinja'
 
 
-class JobListView(TemplateView):
-    template_name = 'base/temporarilyDisabled.jinja'
+class JobListView(FilterView):
+    filterset_class = JobFilter
+
+    @ratelimit(rate=settings.RATELIMIT_RATE, block=True,
+               key=lambda g, r: r.META.get('HTTP_X_FORWARDED_FOR', r.META['REMOTE_ADDR']))
+    def get(self, request, **kwargs):
+        return super().get(request, **kwargs)
+
+    @property
+    def template_name(self):
+        if self.request.GET.get('calendar', 'false') == 'true':
+            return 'base/jobs_list_calendar.jinja'
+
+        return 'base/jobs_list_table.jinja'
 
 
 def fetch_snippets(request, **kwargs):

diff --git a/snippets/settings.py b/snippets/settings.py
@@ -389,3 +389,6 @@
 USE_PREGEN_BUNDLES = config('USE_PREGEN_BUNDLES', default=False, cast=bool)
 
 NIGHTLY_INCLUDES_RELEASE = config('NIGHTLY_INCLUDES_RELEASE', default=False, cast=bool)
+
+RATELIMIT_ENABLE = config('RATELIMIT_ENABLE', default=False, cast=bool)
+RATELIMIT_RATE = config('RATELIMIT_RATE', default='10/m')
diff --git a/snippets/urls.py b/snippets/urls.py
@@ -1,17 +1,31 @@
 from django.conf import settings
 from django.contrib import admin
 from django.contrib.staticfiles.urls import staticfiles_urlpatterns
-from django.http import HttpResponse
+from django.http import HttpResponse, HttpResponseForbidden
 from django.views.generic import RedirectView
 from django.views.static import serve as static_serve
+from django.shortcuts import render
 from django.urls import include, path, re_path
 
+import sentry_sdk
+from ratelimit.exceptions import Ratelimited
+
 
 def robots_txt(request):
     permission = 'Allow' if settings.ENGAGE_ROBOTS else 'Disallow'
     return HttpResponse('User-agent: *\n{0}: /'.format(permission), content_type='text/plain')
 
 
+def handler403(request, exception=None):
+    if isinstance(exception, Ratelimited):
+        with sentry_sdk.configure_scope() as scope:
+            scope.level = 'info'
+            scope.set_tag('logger', 'ratelimited')
+            sentry_sdk.capture_message(message='Rate limited')
+        return render(request, template_name='base/ratelimited.jinja', status=429)
+    return HttpResponseForbidden('Forbidden')
+
+
 urlpatterns = [
     path('', include('snippets.base.urls')),
     path('robots.txt', robots_txt),