Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QOLDEV-638 throttle data request creation #93

Merged
merged 3 commits into from
Oct 17, 2023
Merged

QOLDEV-638 throttle data request creation #93

merged 3 commits into from
Oct 17, 2023

Conversation

ThrawnCA
Copy link

  • Restrict unprivileged accounts to creating one data request every five minutes. Increase the delay if they continue to attempt it.

@ThrawnCA
[QOLDEV-638] throttle creation of data requests
5adf158 
- Restrict unprivileged accounts to one request every 5 minutes.
Increase the delay if they keep trying.
Privileged accounts (edit permissions in any organisation) are unrestricted.
@ThrawnCA
[QOLDEV-638] add scenario test for throttling data request creation
974f929
duttonw
duttonw approved these changes Oct 17, 2023
View reviewed changes
Copy link
Member

@duttonw duttonw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we not increase the time between submission on the same session instead of doubling it if they try to soon.
i.e.
first one (instance)
2nd one (5min wait)
3rd one (10min wait)
4th on(15min wait)

I'd also like you to add ip address tracking for this to stop multi user creation to bypass this.

the way you have it delays submitting for users who don't know or can't read.

@ThrawnCA
Copy link
Author

i.e. first one (instance) 2nd one (5min wait) 3rd one (10min wait) 4th on(15min wait)

So a linear increase, then? If you think that's better, then sure, it's easy to do.

It might also be good to put a maximum in, I suppose, eg one day. More than that likely isn't helpful, it's just asking for overflow-based exploits.

I'd also like you to add ip address tracking for this to stop multi user creation to bypass this.

That might be a good avenue for future enhancement, independently of data requests in particular.

@duttonw
Copy link
Member

duttonw commented Oct 17, 2023

we can leave it with

Double the delay every time someone tries too soon

    expiry = (2 ** (creation_attempts - 1)) * CREATION_THROTTLE_EXPIRY

unsure how safe it would be for time delays for multiple creates. might need something that lasts for a full session (maybe 24hours to keep count on submissions.)

@ThrawnCA
[QOLDEV-638] escalate throttling more slowly
feef862 
- Increase the delay linearly instead of doubling
- Cap the maximum delay to avoid overflow problems
@ThrawnCA ThrawnCA merged commit 23df564 into develop Oct 17, 2023
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@duttonw duttonw duttonw approved these changes

@kundupz kundupz Awaiting requested review from kundupz

@chris-randall-qol chris-randall-qol Awaiting requested review from chris-randall-qol

@RossWebsterWork RossWebsterWork Awaiting requested review from RossWebsterWork

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ThrawnCA @duttonw