diff --git a/files/routes/admin.py b/files/routes/admin.py index d4411ee12..33cde4bd0 100644 --- a/files/routes/admin.py +++ b/files/routes/admin.py @@ -77,6 +77,7 @@ def edit_rules_get(v): @app.post('/admin/edit_rules') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("30/minute;200/hour;1000/day") @limiter.limit("30/minute;200/hour;1000/day", key_func=get_ID) @admin_level_required(PERMS['EDIT_RULES']) @@ -96,6 +97,7 @@ def edit_rules_post(v): @app.post("/@/make_admin") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['ADMIN_ADD']) @@ -119,6 +121,7 @@ def make_admin(v:User, username): @app.post("/@/remove_admin") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['ADMIN_REMOVE']) @@ -148,6 +151,7 @@ def remove_admin(v:User, username): @app.post("/distribute//") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['POST_BETS_DISTRIBUTE']) @@ -217,6 +221,7 @@ def distribute(v:User, kind, option_id): @app.post("/@/revert_actions") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['ADMIN_ACTIONS_REVERT']) @@ -367,6 +372,7 @@ def admin_home(v): @app.post("/admin/site_settings/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['SITE_SETTINGS']) @@ -396,6 +402,7 @@ def change_settings(v:User, setting): @app.post("/admin/clear_cloudflare_cache") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['SITE_CACHE_PURGE_CDN']) @@ -434,6 +441,7 @@ def badge_grant_get(v): @app.post("/admin/badge_grant") @feature_required('BADGES') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['USER_BADGES']) @@ -505,6 +513,7 @@ def badge_grant_post(v): @app.post("/admin/badge_remove") @feature_required('BADGES') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['USER_BADGES']) @@ -657,6 +666,7 @@ def admin_view_alts(v:User, username=None): @app.post('/@/alts/') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['USER_LINK']) @@ -693,6 +703,7 @@ def admin_add_alt(v:User, username): @app.post('/@/alts//deleted') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['USER_LINK']) @@ -760,6 +771,7 @@ def admin_removed_comments(v): @app.post("/unchud_user/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['USER_AGENDAPOSTER']) @@ -802,6 +814,7 @@ def unagendaposter(id, v): @app.post("/shadowban/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['USER_SHADOWBAN']) @@ -838,6 +851,7 @@ def shadowban(user_id, v): @app.post("/unshadowban/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['USER_SHADOWBAN']) @@ -866,6 +880,7 @@ def unshadowban(user_id, v): @app.post("/admin/title_change/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['USER_TITLE_CHANGE']) @@ -911,6 +926,7 @@ def admin_title_change(user_id, v): @app.post("/ban_user/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['USER_BAN']) @@ -1005,6 +1021,7 @@ def ban_user(id, v): @app.post("/chud_user/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['USER_AGENDAPOSTER']) @@ -1104,6 +1121,7 @@ def agendaposter(id, v): @app.post("/unban_user/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['USER_BAN']) @@ -1150,6 +1168,7 @@ def unban_user(id, v): @app.post("/mute_user/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['USER_BAN']) @@ -1172,6 +1191,7 @@ def mute_user(v:User, user_id): @app.post("/unmute_user/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['USER_BAN']) @@ -1192,6 +1212,7 @@ def unmute_user(v:User, user_id): @app.post("/admin/progstack/post/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['PROGSTACK']) @@ -1213,6 +1234,7 @@ def progstack_post(post_id, v): @app.post("/admin/unprogstack/post/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['PROGSTACK']) @@ -1232,6 +1254,7 @@ def unprogstack_post(post_id, v): @app.post("/admin/progstack/comment/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['PROGSTACK']) @@ -1253,6 +1276,7 @@ def progstack_comment(comment_id, v): @app.post("/admin/unprogstack/comment/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['PROGSTACK']) @@ -1272,6 +1296,7 @@ def unprogstack_comment(comment_id, v): @app.post("/remove_post/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['POST_COMMENT_MODERATION']) @@ -1302,6 +1327,7 @@ def remove_post(post_id, v): @app.post("/approve_post/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['POST_COMMENT_MODERATION']) @@ -1335,6 +1361,7 @@ def approve_post(post_id, v): @app.post("/distinguish/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['POST_COMMENT_DISTINGUISH']) @@ -1365,6 +1392,7 @@ def distinguish_post(post_id, v): @app.post("/sticky/") @feature_required('PINS') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['POST_COMMENT_MODERATION']) @@ -1411,6 +1439,7 @@ def sticky_post(post_id, v): @app.post("/unsticky/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['POST_COMMENT_MODERATION']) @@ -1442,6 +1471,7 @@ def unsticky_post(post_id, v): @app.post("/sticky_comment/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['POST_COMMENT_MODERATION']) @@ -1480,6 +1510,7 @@ def sticky_comment(cid, v): @app.post("/unsticky_comment/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['POST_COMMENT_MODERATION']) @@ -1514,6 +1545,7 @@ def unsticky_comment(cid, v): @app.post("/remove_comment/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['POST_COMMENT_MODERATION']) @@ -1536,6 +1568,7 @@ def remove_comment(c_id, v): @app.post("/approve_comment/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['POST_COMMENT_MODERATION']) @@ -1564,6 +1597,7 @@ def approve_comment(c_id, v): @app.post("/distinguish_comment/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['POST_COMMENT_DISTINGUISH']) @@ -1602,6 +1636,7 @@ def admin_banned_domains(v): @app.post("/admin/ban_domain") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['DOMAINS_BAN']) @@ -1635,6 +1670,7 @@ def ban_domain(v): @app.post("/admin/unban_domain/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['DOMAINS_BAN']) @@ -1656,6 +1692,7 @@ def unban_domain(v:User, domain): @app.post("/admin/nuke_user") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['POST_COMMENT_MODERATION']) @@ -1691,6 +1728,7 @@ def admin_nuke_user(v): @app.post("/admin/unnuke_user") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['POST_COMMENT_MODERATION']) @@ -1727,6 +1765,7 @@ def admin_nunuke_user(v): @app.post("/blacklist/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['USER_BLACKLIST']) @@ -1749,6 +1788,7 @@ def blacklist_user(user_id, v): @app.post("/unblacklist/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['USER_BLACKLIST']) @@ -1779,6 +1819,7 @@ def delete_media_get(v): @app.post("/admin/delete_media") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("50/day") @limiter.limit("50/day", key_func=get_ID) @admin_level_required(PERMS['DELETE_MEDIA']) diff --git a/files/routes/allroutes.py b/files/routes/allroutes.py index 5448ca1c7..d6ece5bb9 100644 --- a/files/routes/allroutes.py +++ b/files/routes/allroutes.py @@ -61,6 +61,8 @@ def after_request(response:Response): if request.method == "POST" and not request.path.startswith('/casino/twentyone/'): r.delete(f'LIMITER/{get_CF()}/{request.endpoint}:{request.path}/1/1/second') + if g.v: + r.delete(f'LIMITER/{SITE}-{g.v.id}/{request.endpoint}:{request.path}/1/1/second') return response diff --git a/files/routes/asset_submissions.py b/files/routes/asset_submissions.py index 162368a17..144a023fb 100644 --- a/files/routes/asset_submissions.py +++ b/files/routes/asset_submissions.py @@ -39,6 +39,7 @@ def submit_emojis(v:User): @app.post("/submit/emojis") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -114,6 +115,7 @@ def verify_permissions_and_get_asset(cls, asset_type:str, v:User, name:str, make @app.post("/admin/approve/emoji/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['MODERATE_PENDING_SUBMITTED_ASSETS']) @@ -253,6 +255,7 @@ def remove_asset(cls, type_name:str, v:User, name:str) -> dict[str, str]: @app.post("/remove/emoji/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -273,6 +276,7 @@ def submit_hats(v:User): @app.post("/submit/hats") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -331,6 +335,7 @@ def submit_hat(v:User): @app.post("/admin/approve/hat/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("120/minute;200/hour;1000/day") @limiter.limit("120/minute;200/hour;1000/day", key_func=get_ID) @admin_level_required(PERMS['MODERATE_PENDING_SUBMITTED_ASSETS']) @@ -403,6 +408,7 @@ def approve_hat(v, name): @app.post("/remove/hat/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -419,6 +425,7 @@ def update_emojis(v): @app.post("/admin/update/emojis") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['UPDATE_ASSETS']) @@ -501,6 +508,7 @@ def update_hats(v): @app.post("/admin/update/hats") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['UPDATE_ASSETS']) diff --git a/files/routes/awards.py b/files/routes/awards.py index b78972a0c..f3dc62ccc 100644 --- a/files/routes/awards.py +++ b/files/routes/awards.py @@ -54,6 +54,7 @@ def shop(v:User): @app.post("/buy/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("100/minute;200/hour;1000/day") @limiter.limit("100/minute;200/hour;1000/day", key_func=get_ID) @auth_required @@ -136,6 +137,7 @@ def buy(v:User, award): @app.post("/award//") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned diff --git a/files/routes/casino.py b/files/routes/casino.py index 76f891b93..6482babc8 100644 --- a/files/routes/casino.py +++ b/files/routes/casino.py @@ -81,6 +81,7 @@ def lottershe(v:User): # Slots @app.post("/casino/slots") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(CASINO_RATELIMIT) @limiter.limit(CASINO_RATELIMIT, key_func=get_ID) @auth_required @@ -114,6 +115,7 @@ def pull_slots(v:User): # 21 @app.post("/casino/twentyone/deal") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(CASINO_RATELIMIT) @limiter.limit(CASINO_RATELIMIT, key_func=get_ID) @auth_required @@ -135,6 +137,7 @@ def blackjack_deal_to_player(v:User): @app.post("/casino/twentyone/hit") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(CASINO_RATELIMIT) @limiter.limit(CASINO_RATELIMIT, key_func=get_ID) @auth_required @@ -152,6 +155,7 @@ def blackjack_player_hit(v:User): @app.post("/casino/twentyone/stay") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(CASINO_RATELIMIT) @limiter.limit(CASINO_RATELIMIT, key_func=get_ID) @auth_required @@ -169,6 +173,7 @@ def blackjack_player_stay(v:User): @app.post("/casino/twentyone/double-down") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(CASINO_RATELIMIT) @limiter.limit(CASINO_RATELIMIT, key_func=get_ID) @auth_required @@ -186,6 +191,7 @@ def blackjack_player_doubled_down(v:User): @app.post("/casino/twentyone/buy-insurance") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(CASINO_RATELIMIT) @limiter.limit(CASINO_RATELIMIT, key_func=get_ID) @auth_required @@ -216,6 +222,7 @@ def roulette_get_bets(v:User): @app.post("/casino/roulette/place-bet") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(CASINO_RATELIMIT) @limiter.limit(CASINO_RATELIMIT, key_func=get_ID) @auth_required diff --git a/files/routes/comments.py b/files/routes/comments.py index c085afacf..61d0605a6 100644 --- a/files/routes/comments.py +++ b/files/routes/comments.py @@ -84,6 +84,7 @@ def post_pid_comment_cid(cid, pid=None, anything=None, v=None, sub=None): @app.post("/comment") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("20/minute;200/hour;1000/day") @limiter.limit("20/minute;200/hour;1000/day", key_func=get_ID) @auth_required @@ -388,6 +389,7 @@ def comment(v:User): @app.post("/delete/comment/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -410,6 +412,7 @@ def delete_comment(cid, v): @app.post("/undelete/comment/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -431,6 +434,7 @@ def undelete_comment(cid, v): @app.post("/pin_comment/") @feature_required('PINS') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -456,6 +460,7 @@ def pin_comment(cid, v): @app.post("/unpin_comment/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -480,6 +485,7 @@ def unpin_comment(cid, v): @app.post("/save_comment/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -498,6 +504,7 @@ def save_comment(cid, v): @app.post("/unsave_comment/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -535,6 +542,7 @@ def diff_words(answer, guess): @app.post("/wordle/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -569,6 +577,7 @@ def handle_wordle_action(cid, v): @app.post("/toggle_comment_nsfw/") @feature_required('NSFW_MARKING') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -606,6 +615,7 @@ def toggle_comment_nsfw(cid, v): @app.post("/edit_comment/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("10/minute;100/hour;200/day") @limiter.limit("10/minute;100/hour;200/day", key_func=get_ID) @is_not_permabanned diff --git a/files/routes/errors.py b/files/routes/errors.py index 21b2a9684..ad7c9feac 100644 --- a/files/routes/errors.py +++ b/files/routes/errors.py @@ -63,6 +63,7 @@ def error_500(e): @app.post("/allow_nsfw") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) def allow_nsfw(): session["over_18"] = int(time.time()) + 3600 diff --git a/files/routes/groups.py b/files/routes/groups.py index b366f209b..351aa876a 100644 --- a/files/routes/groups.py +++ b/files/routes/groups.py @@ -17,6 +17,7 @@ def ping_groups(v:User): @app.post("/create_group") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -60,6 +61,7 @@ def create_group(v): @app.post("/!/apply") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -78,6 +80,7 @@ def join_group(v:User, group_name): @app.post("/!/leave") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -130,6 +133,7 @@ def memberships(v:User, group_name): @app.post("/!//approve") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -155,6 +159,7 @@ def group_approve(v:User, group_name, user_id): @app.post("/!//reject") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required diff --git a/files/routes/hats.py b/files/routes/hats.py index fe7732cef..7690b7c14 100644 --- a/files/routes/hats.py +++ b/files/routes/hats.py @@ -30,6 +30,7 @@ def hats(v:User): @app.post("/buy_hat/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit('100/minute;1000/3 days') @limiter.limit('100/minute;1000/3 days', key_func=get_ID) @auth_required @@ -83,6 +84,7 @@ def buy_hat(v:User, hat_id): @app.post("/equip_hat/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -100,6 +102,7 @@ def equip_hat(v:User, hat_id): @app.post("/unequip_hat/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required diff --git a/files/routes/login.py b/files/routes/login.py index 78ebc2add..9833dbdc4 100644 --- a/files/routes/login.py +++ b/files/routes/login.py @@ -40,6 +40,7 @@ def login_deduct_when(resp): @app.post("/login") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @auth_desired @limiter.limit("6/minute;10/day", deduct_when=login_deduct_when) @@ -140,6 +141,7 @@ def me(v:User): @app.post("/logout") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -200,6 +202,7 @@ def sign_up_get(v:Optional[User]): @app.post("/signup") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("10/day") @auth_desired def sign_up_post(v:Optional[User]): @@ -374,6 +377,7 @@ def get_forgot(): @app.post("/forgot") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) def post_forgot(): @@ -440,6 +444,7 @@ def get_reset(): @app.post("/reset") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @auth_desired def post_reset(v:Optional[User]): @@ -487,6 +492,7 @@ def lost_2fa(v:Optional[User]): @app.post("/lost_2fa") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("6/minute;200/hour;1000/day") def lost_2fa_post(): username=request.values.get("username") diff --git a/files/routes/lottery.py b/files/routes/lottery.py index 573adf7e3..9d1010ff7 100644 --- a/files/routes/lottery.py +++ b/files/routes/lottery.py @@ -8,6 +8,7 @@ from files.__main__ import app, limiter @app.post("/lottery/end") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['LOTTERY_ADMIN']) @@ -18,6 +19,7 @@ def lottery_end(v): @app.post("/lottery/start") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['LOTTERY_ADMIN']) @@ -28,6 +30,7 @@ def lottery_start(v): @app.post("/lottery/buy") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("100/minute;500/hour;1000/day") @limiter.limit("100/minute;500/hour;1000/day", key_func=get_ID) @auth_required diff --git a/files/routes/mail.py b/files/routes/mail.py index 16e87c62b..2387c1ea7 100644 --- a/files/routes/mail.py +++ b/files/routes/mail.py @@ -11,6 +11,7 @@ from files.__main__ import app, limiter @app.post("/verify_email") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required diff --git a/files/routes/notifications.py b/files/routes/notifications.py index 5bb47dee6..cba32d1d2 100644 --- a/files/routes/notifications.py +++ b/files/routes/notifications.py @@ -12,6 +12,7 @@ from files.__main__ import app @app.post("/clear") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required diff --git a/files/routes/oauth.py b/files/routes/oauth.py index 3b56ebfd7..dfe1c13ac 100644 --- a/files/routes/oauth.py +++ b/files/routes/oauth.py @@ -19,6 +19,7 @@ def authorize_prompt(v:User): @app.post("/authorize") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -40,6 +41,7 @@ def authorize(v): @app.post("/rescind/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -53,6 +55,7 @@ def rescind(v, aid): @app.post("/api_keys") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -95,6 +98,7 @@ def request_api_keys(v): @app.post("/delete_app/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -119,6 +123,7 @@ def delete_oauth_app(v, aid): @app.post("/edit_app/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -144,6 +149,7 @@ def edit_oauth_app(v, aid): @app.post("/admin/app/approve/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['APPS_MODERATION']) @@ -182,6 +188,7 @@ def admin_app_approve(v, aid): @app.post("/admin/app/revoke/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['APPS_MODERATION']) @@ -209,6 +216,7 @@ def admin_app_revoke(v, aid): @app.post("/admin/app/reject/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @admin_level_required(PERMS['APPS_MODERATION']) @@ -303,6 +311,7 @@ def admin_apps_list(v): @app.post("/reroll/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required diff --git a/files/routes/polls.py b/files/routes/polls.py index 6d5671c75..c7d00f0f9 100644 --- a/files/routes/polls.py +++ b/files/routes/polls.py @@ -7,6 +7,7 @@ from files.__main__ import app @app.post("/vote/post/option/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -57,6 +58,7 @@ def vote_option(option_id, v): @app.post("/vote/comment/option/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned diff --git a/files/routes/posts.py b/files/routes/posts.py index 88ee77be6..7fa2f4de6 100644 --- a/files/routes/posts.py +++ b/files/routes/posts.py @@ -34,6 +34,7 @@ titleheaders = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe @app.post("/publish/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -383,6 +384,7 @@ def thumbnail_thread(pid:int, vid:int): @app.post("/is_repost") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) def is_repost(): not_a_repost = {'permalink': ''} @@ -429,6 +431,7 @@ def is_repost(): @app.post("/submit") @app.post("/h//submit") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(POST_RATELIMIT) @limiter.limit(POST_RATELIMIT, key_func=get_ID) @auth_required @@ -710,6 +713,7 @@ def submit_post(v:User, sub=None): @app.post("/delete_post/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -737,6 +741,7 @@ def delete_post_pid(pid, v): @app.post("/undelete_post/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -760,6 +765,7 @@ def undelete_post_pid(pid, v): @app.post("/mark_post_nsfw/") @feature_required('NSFW_MARKING') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -798,6 +804,7 @@ def mark_post_nsfw(pid, v): @app.post("/unmark_post_nsfw/") @feature_required('NSFW_MARKING') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -835,6 +842,7 @@ def unmark_post_nsfw(pid, v): @app.post("/save_post/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -852,6 +860,7 @@ def save_post(pid, v): @app.post("/unsave_post/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -868,6 +877,7 @@ def unsave_post(pid, v): @app.post("/pin/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -962,6 +972,7 @@ def get_post_title(v): @app.post("/edit_post/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("10/minute;100/hour;200/day") @limiter.limit("10/minute;100/hour;200/day", key_func=get_ID) @is_not_permabanned diff --git a/files/routes/push_notifs.py b/files/routes/push_notifs.py index ce0bd03fe..fae3e009c 100644 --- a/files/routes/push_notifs.py +++ b/files/routes/push_notifs.py @@ -5,6 +5,7 @@ from files.classes.push_subscriptions import PushSubscription @app.post("/push_subscribe") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required diff --git a/files/routes/reporting.py b/files/routes/reporting.py index 5e874b113..56aff6c12 100644 --- a/files/routes/reporting.py +++ b/files/routes/reporting.py @@ -13,6 +13,7 @@ from files.__main__ import app, limiter, cache @app.post("/report/post/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -75,6 +76,7 @@ def flag_post(pid, v): @app.post("/report/comment/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -106,6 +108,7 @@ def flag_comment(cid, v): @app.post('/del_report/post//') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("100/minute;300/hour;2000/day") @limiter.limit("100/minute;300/hour;2000/day", key_func=get_ID) @admin_level_required(PERMS['FLAGS_REMOVE']) @@ -131,6 +134,7 @@ def remove_report_post(v, pid, uid): @app.post('/del_report/comment//') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("100/minute;300/hour;2000/day") @limiter.limit("100/minute;300/hour;2000/day", key_func=get_ID) @admin_level_required(PERMS['FLAGS_REMOVE']) diff --git a/files/routes/settings.py b/files/routes/settings.py index 5dad90c2b..4806a9655 100644 --- a/files/routes/settings.py +++ b/files/routes/settings.py @@ -52,6 +52,7 @@ def remove_background(v): @app.post('/settings/custom_background') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -77,6 +78,7 @@ def upload_custom_background(v): @app.post('/settings/profile_background') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -109,6 +111,7 @@ def delete_profile_background(v): @app.post("/settings/personal") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -374,6 +377,7 @@ def settings_personal_post(v): @app.post("/settings/filters") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -403,6 +407,7 @@ def set_color(v:User, attr:str, color:Optional[str]): @app.post("/settings/namecolor") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -411,6 +416,7 @@ def namecolor(v): @app.post("/settings/themecolor") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -419,6 +425,7 @@ def themecolor(v): @app.post("/settings/titlecolor") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -427,6 +434,7 @@ def titlecolor(v): @app.post("/settings/verifiedcolor") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -436,6 +444,7 @@ def verifiedcolor(v): @app.post("/settings/security") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -511,6 +520,7 @@ def settings_security_post(v): @app.post("/settings/log_out_all_others") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -528,6 +538,7 @@ def settings_log_out_others(v): @app.post("/settings/images/profile") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -568,6 +579,7 @@ def settings_images_profile(v): @app.post("/settings/images/banner") @feature_required('USERS_PROFILE_BANNER') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -597,6 +609,7 @@ def settings_css_get(v:User): @app.post("/settings/css") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -610,6 +623,7 @@ def settings_css(v): @app.post("/settings/profilecss") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -637,6 +651,7 @@ def settings_security(v:User): @app.post("/settings/block") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("20/day") @limiter.limit("20/day", key_func=get_ID) @auth_required @@ -665,6 +680,7 @@ def settings_block_user(v): @app.post("/settings/unblock") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -694,6 +710,7 @@ def settings_advanced_get(v:User): @app.post("/settings/name_change") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -734,6 +751,7 @@ def settings_name_change(v): @app.post("/settings/song_change_mp3") @feature_required('USERS_PROFILE_SONG') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("10/day") @limiter.limit("10/day", key_func=get_ID) @auth_required @@ -799,6 +817,7 @@ def _change_song_youtube(vid, id): @app.post("/settings/song_change") @feature_required('USERS_PROFILE_SONG') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("10/day") @limiter.limit("10/day", key_func=get_ID) @auth_required @@ -851,6 +870,7 @@ def settings_song_change(v): @app.post("/settings/title_change") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -881,6 +901,7 @@ def settings_title_change(v): @app.post("/settings/pronouns_change") @feature_required('PRONOUNS') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -908,6 +929,7 @@ def settings_pronouns_change(v): @app.post("/settings/checkmark_text") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -923,6 +945,7 @@ def settings_checkmark_text(v): if IS_FISTMAS(): @app.post("/events/fistmas2022/darkmode") @limiter.limit('1/second', scope=rpath) + @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required diff --git a/files/routes/static.py b/files/routes/static.py index 331a2d402..1f084efac 100644 --- a/files/routes/static.py +++ b/files/routes/static.py @@ -253,6 +253,7 @@ def contact(v:Optional[User]): @app.post("/contact") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("1/minute;10/day") @limiter.limit("1/minute;10/day", key_func=get_ID) @auth_required @@ -352,6 +353,7 @@ def mobile_app(v:Optional[User]): @app.post("/dismiss_mobile_tip") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) def dismiss_mobile_tip(): session["tooltip_last_dismissed"] = int(time.time()) diff --git a/files/routes/subs.py b/files/routes/subs.py index 26f69ed79..fa23b4785 100644 --- a/files/routes/subs.py +++ b/files/routes/subs.py @@ -9,6 +9,7 @@ from files.__main__ import app, cache, limiter @app.post("/exile/post/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -43,6 +44,7 @@ def exile_post(v:User, pid): @app.post("/exile/comment/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -77,6 +79,7 @@ def exile_comment(v:User, cid): @app.post("/h//unexile/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -108,6 +111,7 @@ def unexile(v:User, sub, uid): @app.post("/h//block") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -122,6 +126,7 @@ def block_sub(v:User, sub): @app.post("/h//unblock") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -140,6 +145,7 @@ def unblock_sub(v:User, sub): @app.post("/h//subscribe") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -154,6 +160,7 @@ def subscribe_sub(v:User, sub): @app.post("/h//unsubscribe") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -167,6 +174,7 @@ def unsubscribe_sub(v:User, sub): @app.post("/h//follow") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -184,6 +192,7 @@ def follow_sub(v:User, sub): @app.post("/h//unfollow") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -258,6 +267,7 @@ def sub_followers(v:User, sub): @app.post("/h//add_mod") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("30/day") @limiter.limit("30/day", key_func=get_ID) @is_not_permabanned @@ -297,6 +307,7 @@ def add_mod(v:User, sub): @app.post("/h//remove_mod") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -349,6 +360,7 @@ def create_sub(v): @app.post("/create_hole") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -388,6 +400,7 @@ def create_sub2(v): @app.post("/kick/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -432,6 +445,7 @@ def sub_settings(v:User, sub): @app.post('/h//sidebar') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -458,6 +472,7 @@ def post_sub_sidebar(v:User, sub): @app.post('/h//css') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -500,6 +515,7 @@ def get_sub_css(sub): @app.post("/h//settings/banners/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("50/day") @limiter.limit("50/day", key_func=get_ID) @is_not_permabanned @@ -588,6 +604,7 @@ def delete_all_sub_banners(v:User, sub:str): @app.post("/h//sidebar_image") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("10/day") @limiter.limit("10/day", key_func=get_ID) @is_not_permabanned @@ -620,6 +637,7 @@ def sub_sidebar(v:User, sub): @app.post("/h//marsey_image") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("10/day") @limiter.limit("10/day", key_func=get_ID) @is_not_permabanned @@ -662,6 +680,7 @@ def subs(v:User): @app.post("/hole_pin/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -697,6 +716,7 @@ def hole_pin(v:User, pid): @app.post("/hole_unpin/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -729,6 +749,7 @@ def hole_unpin(v:User, pid): @app.post('/h//stealth') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -764,6 +785,7 @@ def sub_stealth(v:User, sub): @app.post("/mod_pin/") @feature_required('PINS') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -794,6 +816,7 @@ def mod_pin(cid, v): @app.post("/unmod_pin/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned diff --git a/files/routes/users.py b/files/routes/users.py index 9d22ee3e7..8885b4007 100644 --- a/files/routes/users.py +++ b/files/routes/users.py @@ -311,6 +311,7 @@ def downvoting(v:User, username:str): @app.post("/@/suicide") @feature_required('USERS_SUICIDE') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("5/day") @limiter.limit("5/day", key_func=get_ID) @auth_required @@ -372,6 +373,7 @@ def transfer_currency(v:User, username:str, currency_name:Literal['coins', 'mars @app.post("/@/transfer_coins") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -381,6 +383,7 @@ def transfer_coins(v:User, username:str): @app.post("/@/transfer_bux") @feature_required('MARSEYBUX') @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @is_not_permabanned @@ -471,6 +474,7 @@ def usersong(username:str): @app.post("/subscribe/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -483,6 +487,7 @@ def subscribe(v, post_id): @app.post("/unsubscribe/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -494,6 +499,7 @@ def unsubscribe(v, post_id): @app.post("/@/message") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("10/minute;20/hour;50/day") @limiter.limit("10/minute;20/hour;50/day", key_func=get_ID) @is_not_permabanned @@ -557,6 +563,7 @@ def message2(v:User, username:str): @app.post("/reply") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("6/minute;50/hour;200/day") @limiter.limit("6/minute;50/hour;200/day", key_func=get_ID) @auth_required @@ -1069,6 +1076,7 @@ def u_user_id_info(id, v=None): @app.post("/follow/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -1096,6 +1104,7 @@ def follow_user(username, v): @app.post("/unfollow/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -1127,6 +1136,7 @@ def unfollow_user(username, v): @app.post("/remove_follow/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -1222,6 +1232,7 @@ def subscribed_posts(v:User, username): @app.post("/fp/") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required @@ -1392,6 +1403,7 @@ if KOFI_TOKEN: @app.post("/gumroad") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) def gumroad(): data = request.values @@ -1431,6 +1443,7 @@ def gumroad(): @app.post("/settings/claim_rewards") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT) @limiter.limit(DEFAULT_RATELIMIT, key_func=get_ID) @auth_required diff --git a/files/routes/votes.py b/files/routes/votes.py index 4ce76c0db..80a719a0a 100644 --- a/files/routes/votes.py +++ b/files/routes/votes.py @@ -187,6 +187,7 @@ def vote_post_comment(target_id, new, v, cls, vote_cls): @app.post("/vote/post//") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("60/minute;1000/hour;2000/day") @limiter.limit("60/minute;1000/hour;2000/day", key_func=get_ID) @is_not_permabanned @@ -195,6 +196,7 @@ def vote_post(post_id, new, v): @app.post("/vote/comment//") @limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("60/minute;1000/hour;2000/day") @limiter.limit("60/minute;1000/hour;2000/day", key_func=get_ID) @is_not_permabanned