From aa272729f1b8bc0f135484d38596f815af7f244e Mon Sep 17 00:00:00 2001 From: justcool393 Date: Sun, 13 Nov 2022 00:43:35 -0600 Subject: [PATCH] default ratelimit and default ratelimit slower --- files/helpers/const.py | 4 ++++ files/helpers/wrappers.py | 2 +- files/mail/__init__.py | 2 +- files/routes/admin.py | 44 +++++++++++++++++++-------------------- files/routes/awards.py | 2 +- files/routes/comments.py | 10 ++++----- files/routes/login.py | 6 +++--- files/routes/oauth.py | 18 ++++++++-------- files/routes/posts.py | 14 ++++++------- files/routes/reporting.py | 4 ++-- files/routes/settings.py | 36 ++++++++++++++++---------------- files/routes/subs.py | 4 ++-- files/routes/users.py | 16 +++++++------- 13 files changed, 83 insertions(+), 79 deletions(-) diff --git a/files/helpers/const.py b/files/helpers/const.py index bfe10ba7f..304008cad 100644 --- a/files/helpers/const.py +++ b/files/helpers/const.py @@ -53,6 +53,10 @@ CONTENT_SECURITY_POLICY_HOME = f"script-src 'self' 'unsafe-inline' 'unsafe-eval' CLOUDFLARE_COOKIE_VALUE = "yes." +DEFAULT_RATELIMIT = "3/second;30/minute;200/hour;1000/day" +DEFAULT_RATELIMIT_SLOWER = "1/second;30/minute;200/hour;1000/day" +DEFAULT_RATELIMIT_USER = DEFAULT_RATELIMIT_SLOWER + if SITE == "localhost": SITE_FULL = 'http://' + SITE else: SITE_FULL = 'https://' + SITE diff --git a/files/helpers/wrappers.py b/files/helpers/wrappers.py index cff7458e3..62daedcb0 100644 --- a/files/helpers/wrappers.py +++ b/files/helpers/wrappers.py @@ -146,5 +146,5 @@ def feature_required(x): return wrapper return wrapper_maker -def ratelimit_user(limit="1/second;30/minute;200/hour;1000/day"): +def ratelimit_user(limit=DEFAULT_RATELIMIT_USER): return limiter.limit(limit, key_func=lambda:f'{SITE}-{session.get("lo_user")}') diff --git a/files/mail/__init__.py b/files/mail/__init__.py index d2f69aec1..86c79d0b1 100644 --- a/files/mail/__init__.py +++ b/files/mail/__init__.py @@ -50,7 +50,7 @@ def send_verification_email(user, email=None): @app.post("/verify_email") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def verify_email(v): diff --git a/files/routes/admin.py b/files/routes/admin.py index d900ab946..bbe49c05f 100644 --- a/files/routes/admin.py +++ b/files/routes/admin.py @@ -193,7 +193,7 @@ def remove_admin(v, username): return {"message": f"@{user.username} has been removed as admin!"} @app.post("/distribute/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['POST_BETS_DISTRIBUTE']) def distribute(v, option_id): autojanny = get_account(AUTOJANNY_ID) @@ -249,7 +249,7 @@ def distribute(v, option_id): return {"message": f"Each winner has received {coinsperperson} coins!"} @app.post("/@/revert_actions") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['ADMIN_ACTIONS_REVERT']) def revert_actions(v, username): user = get_user(username) @@ -299,7 +299,7 @@ def revert_actions(v, username): return {"message": f"@{user.username}'s admin actions have been reverted!"} @app.post("/@/club_allow") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['USER_CLUB_ALLOW_BAN']) def club_allow(v, username): u = get_user(username, v=v) @@ -325,7 +325,7 @@ def club_allow(v, username): return {"message": f"@{u.username} has been allowed into the {CC_TITLE}!"} @app.post("/@/club_ban") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['USER_CLUB_ALLOW_BAN']) def club_ban(v, username): u = get_user(username, v=v) @@ -528,7 +528,7 @@ def badge_grant_get(v): return render_template("admin/badge_admin.html", v=v, badge_types=badges, grant=grant) @app.post("/admin/badge_grant") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['USER_BADGES']) @feature_required('BADGES') def badge_grant_post(v): @@ -577,7 +577,7 @@ def badge_grant_post(v): return render_template("admin/badge_admin.html", v=v, badge_types=badges, grant=True, msg=f"{new_badge.name} Badge granted to @{user.username} successfully!") @app.post("/admin/badge_remove") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['USER_BADGES']) @feature_required('BADGES') def badge_remove_post(v): @@ -740,7 +740,7 @@ def alt_votes_get(v): @app.post("/admin/link_accounts") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['USER_LINK']) def admin_link_accounts(v): u1 = get_account(request.values.get("u1")).id @@ -837,7 +837,7 @@ def unagendaposter(user_id, v): @app.post("/shadowban/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['USER_SHADOWBAN']) def shadowban(user_id, v): user = get_account(user_id) @@ -868,7 +868,7 @@ def shadowban(user_id, v): return {"message": f"@{user.username} has been shadowbanned!"} @app.post("/unshadowban/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['USER_SHADOWBAN']) def unshadowban(user_id, v): user = get_account(user_id) @@ -893,7 +893,7 @@ def unshadowban(user_id, v): @app.post("/admin/title_change/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['USER_TITLE_CHANGE']) def admin_title_change(user_id, v): @@ -929,7 +929,7 @@ def admin_title_change(user_id, v): return {"message": f"@{user.username}'s flair has been changed!"} @app.post("/ban_user/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['USER_BAN']) def ban_user(user_id, v): user = get_account(user_id) @@ -1064,7 +1064,7 @@ def agendaposter(user_id, v): @app.post("/unban_user/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['USER_BAN']) def unban_user(user_id, v): user = get_account(user_id) @@ -1097,7 +1097,7 @@ def unban_user(user_id, v): return {"message": f"@{user.username} has been unbanned!"} @app.post("/mute_user/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['USER_BAN']) def mute_user(v, user_id): user = get_account(user_id) @@ -1116,7 +1116,7 @@ def mute_user(v, user_id): @app.post("/unmute_user/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['USER_BAN']) def unmute_user(v, user_id): user = get_account(user_id) @@ -1135,7 +1135,7 @@ def unmute_user(v, user_id): @app.post("/remove_post/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['POST_COMMENT_MODERATION']) def remove_post(post_id, v): post = get_post(post_id) @@ -1163,7 +1163,7 @@ def remove_post(post_id, v): @app.post("/approve_post/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['POST_COMMENT_MODERATION']) def approve_post(post_id, v): @@ -1336,7 +1336,7 @@ def unsticky_comment(cid, v): @app.post("/remove_comment/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['POST_COMMENT_MODERATION']) def remove_comment(c_id, v): comment = get_comment(c_id) @@ -1356,7 +1356,7 @@ def remove_comment(c_id, v): @app.post("/approve_comment/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['POST_COMMENT_MODERATION']) def approve_comment(c_id, v): @@ -1418,7 +1418,7 @@ def admin_banned_domains(v): return render_template("admin/banned_domains.html", v=v, banned_domains=banned_domains) @app.post("/admin/ban_domain") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['DOMAINS_BAN']) def ban_domain(v): @@ -1443,7 +1443,7 @@ def ban_domain(v): @app.post("/admin/unban_domain/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['DOMAINS_BAN']) def unban_domain(v, domain): existing = g.db.get(BannedDomain, domain) @@ -1462,7 +1462,7 @@ def unban_domain(v, domain): @app.post("/admin/nuke_user") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['POST_COMMENT_MODERATION']) def admin_nuke_user(v): @@ -1495,7 +1495,7 @@ def admin_nuke_user(v): @app.post("/admin/unnuke_user") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['POST_COMMENT_MODERATION']) def admin_nunuke_user(v): diff --git a/files/routes/awards.py b/files/routes/awards.py index a9d71655e..fd386cddc 100644 --- a/files/routes/awards.py +++ b/files/routes/awards.py @@ -120,7 +120,7 @@ def buy(v, award): return {"message": f"{award_title} award bought!"} @app.post("/award//") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @is_not_permabanned @feature_required('AWARDS') diff --git a/files/routes/comments.py b/files/routes/comments.py index c65c4deeb..efb401a2c 100644 --- a/files/routes/comments.py +++ b/files/routes/comments.py @@ -457,7 +457,7 @@ def edit_comment(cid, v): @app.post("/delete/comment/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def delete_comment(cid, v): @@ -485,7 +485,7 @@ def delete_comment(cid, v): return {"message": "Comment deleted!"} @app.post("/undelete/comment/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def undelete_comment(cid, v): @@ -557,7 +557,7 @@ def unpin_comment(cid, v): @app.post("/save_comment/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def save_comment(cid, v): @@ -574,7 +574,7 @@ def save_comment(cid, v): return {"message": "Comment saved!"} @app.post("/unsave_comment/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def unsave_comment(cid, v): @@ -610,7 +610,7 @@ def diff_words(answer, guess): @app.post("/wordle/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def handle_wordle_action(cid, v): diff --git a/files/routes/login.py b/files/routes/login.py index 0e802fca3..f9202ad7c 100644 --- a/files/routes/login.py +++ b/files/routes/login.py @@ -180,7 +180,7 @@ def me(v): @app.post("/logout") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def logout(v): @@ -397,7 +397,7 @@ def get_forgot(): @app.post("/forgot") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) def post_forgot(): username = request.values.get("username") @@ -469,7 +469,7 @@ def get_reset(): @app.post("/reset") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @auth_desired def post_reset(v): if v: return redirect('/') diff --git a/files/routes/oauth.py b/files/routes/oauth.py index 6b9828e8b..af6eb3ccc 100644 --- a/files/routes/oauth.py +++ b/files/routes/oauth.py @@ -17,7 +17,7 @@ def authorize_prompt(v): @app.post("/authorize") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def authorize(v): @@ -39,7 +39,7 @@ def authorize(v): @app.post("/rescind/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def rescind(v, aid): @@ -51,7 +51,7 @@ def rescind(v, aid): @app.post("/api_keys") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @is_not_permabanned def request_api_keys(v): @@ -93,7 +93,7 @@ def request_api_keys(v): @app.post("/delete_app/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def delete_oauth_app(v, aid): @@ -116,7 +116,7 @@ def delete_oauth_app(v, aid): @app.post("/edit_app/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @is_not_permabanned def edit_oauth_app(v, aid): @@ -140,7 +140,7 @@ def edit_oauth_app(v, aid): @app.post("/admin/app/approve/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['APPS_MODERATION']) def admin_app_approve(v, aid): @@ -176,7 +176,7 @@ def admin_app_approve(v, aid): @app.post("/admin/app/revoke/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['APPS_MODERATION']) def admin_app_revoke(v, aid): @@ -201,7 +201,7 @@ def admin_app_revoke(v, aid): @app.post("/admin/app/reject/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @admin_level_required(PERMS['APPS_MODERATION']) def admin_app_reject(v, aid): @@ -284,7 +284,7 @@ def admin_apps_list(v): @app.post("/reroll/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def reroll_oauth_tokens(aid, v): diff --git a/files/routes/posts.py b/files/routes/posts.py index 34d946f3f..05fc6b983 100644 --- a/files/routes/posts.py +++ b/files/routes/posts.py @@ -78,7 +78,7 @@ def unclub_post(pid, v): @app.post("/publish/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def publish(pid, v): @@ -226,7 +226,7 @@ def post_id(pid, anything=None, v=None, sub=None): fart=app.config['SETTINGS']['Fart mode']) @app.get("/viewmore///") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @auth_desired_with_logingate def viewmore(v, pid, sort, offset): post = get_post(pid, v=v) @@ -282,7 +282,7 @@ def viewmore(v, pid, sort, offset): @app.get("/morecomments/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @auth_desired_with_logingate def morecomments(v, cid): try: cid = int(cid) @@ -954,7 +954,7 @@ def submit_post(v, sub=None): @app.post("/delete_post/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def delete_post_pid(pid, v): @@ -981,7 +981,7 @@ def delete_post_pid(pid, v): return {"message": "Post deleted!"} @app.post("/undelete_post/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def undelete_post_pid(pid, v): @@ -1037,7 +1037,7 @@ def toggle_post_nsfw(pid, v): else: return {"message": "Post has been unmarked as +18!"} @app.post("/save_post/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def save_post(pid, v): @@ -1053,7 +1053,7 @@ def save_post(pid, v): return {"message": "Post saved!"} @app.post("/unsave_post/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def unsave_post(pid, v): diff --git a/files/routes/reporting.py b/files/routes/reporting.py index 280ec46d9..b92f88fad 100644 --- a/files/routes/reporting.py +++ b/files/routes/reporting.py @@ -8,7 +8,7 @@ from os import path from files.helpers.sanitize import filter_emojis_only @app.post("/report/post/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def flag_post(pid, v): @@ -61,7 +61,7 @@ def flag_post(pid, v): @app.post("/report/comment/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def flag_comment(cid, v): diff --git a/files/routes/settings.py b/files/routes/settings.py index 397c90874..90bd8a241 100644 --- a/files/routes/settings.py +++ b/files/routes/settings.py @@ -27,7 +27,7 @@ def settings_personal(v): return render_template("settings/personal.html", v=v) @app.delete('/settings/background') -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def remove_background(v): @@ -37,7 +37,7 @@ def remove_background(v): return {"message": "Background removed!"} @app.post("/settings/personal") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def settings_personal_post(v): @@ -318,21 +318,21 @@ def set_color(v:User, attr:str, color:Optional[str]): @app.post("/settings/namecolor") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def namecolor(v): return set_color(v, "namecolor", request.values.get("namecolor")) @app.post("/settings/themecolor") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def themecolor(v): return set_color(v, "themecolor", request.values.get("themecolor")) @app.post("/settings/gumroad") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def gumroad(v): @@ -368,14 +368,14 @@ def gumroad(v): return {"message": f"{patron} rewards claimed!"} @app.post("/settings/titlecolor") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def titlecolor(v): return set_color(v, "titlecolor", request.values.get("titlecolor")) @app.post("/settings/verifiedcolor") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def verifiedcolor(v): @@ -383,7 +383,7 @@ def verifiedcolor(v): return set_color(v, "verifiedcolor", "verifiedcolor") @app.post("/settings/security") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def settings_security_post(v): @@ -456,7 +456,7 @@ def settings_security_post(v): return render_template("settings/security.html", v=v, msg="Two-factor authentication disabled.") @app.post("/settings/log_out_all_others") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def settings_log_out_others(v): @@ -471,7 +471,7 @@ def settings_log_out_others(v): @app.post("/settings/images/profile") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def settings_images_profile(v): @@ -506,7 +506,7 @@ def settings_images_profile(v): @app.post("/settings/images/banner") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required @feature_required('USERS_PROFILE_BANNER') @@ -534,7 +534,7 @@ def settings_css_get(v): return render_template("settings/css.html", v=v) @app.post("/settings/css") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def settings_css(v): @@ -548,7 +548,7 @@ def settings_css(v): return render_template("settings/css.html", v=v) @app.post("/settings/profilecss") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def settings_profilecss(v): @@ -597,7 +597,7 @@ def settings_block_user(v): @app.post("/settings/unblock") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def settings_unblock_user(v): @@ -621,7 +621,7 @@ def settings_advanced_get(v): return render_template("settings/advanced.html", v=v) @app.post("/settings/name_change") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @is_not_permabanned def settings_name_change(v): @@ -763,7 +763,7 @@ def settings_song_change(v): return redirect("/settings/personal") @app.post("/settings/title_change") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def settings_title_change(v): @@ -787,7 +787,7 @@ def settings_title_change(v): @app.post("/settings/pronouns_change") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required @feature_required('PRONOUNS') @@ -814,7 +814,7 @@ def settings_pronouns_change(v): @app.post("/settings/checkmark_text") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def settings_checkmark_text(v): diff --git a/files/routes/subs.py b/files/routes/subs.py index 761362730..2518471d0 100644 --- a/files/routes/subs.py +++ b/files/routes/subs.py @@ -386,7 +386,7 @@ def sub_settings(v, sub): @app.post('/h//sidebar') -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @is_not_permabanned def post_sub_sidebar(v, sub): @@ -411,7 +411,7 @@ def post_sub_sidebar(v, sub): @app.post('/h//css') -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @is_not_permabanned def post_sub_css(v, sub): diff --git a/files/routes/users.py b/files/routes/users.py index 6434f297a..5c15cf381 100644 --- a/files/routes/users.py +++ b/files/routes/users.py @@ -312,14 +312,14 @@ def transfer_currency(v:User, username:str, currency_name:Literal['coins', 'proc return {"message": f"{amount - tax} {friendly_currency_name} have been transferred to @{receiver.username}"} @app.post("/@/transfer_coins") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @is_not_permabanned def transfer_coins(v, username): return transfer_currency(v, username, 'coins', True) @app.post("/@/transfer_bux") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @is_not_permabanned @feature_required('PROCOINS') @@ -392,7 +392,7 @@ def song(song): return resp @app.post("/subscribe/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def subscribe(v, post_id): @@ -403,7 +403,7 @@ def subscribe(v, post_id): return {"message": "Subscribed to post successfully!"} @app.post("/unsubscribe/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def unsubscribe(v, post_id): @@ -831,7 +831,7 @@ def u_user_id_info(id, v=None): return user.json @app.post("/follow/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def follow_user(username, v): @@ -858,7 +858,7 @@ def follow_user(username, v): return {"message": f"@{target.username} has been followed!"} @app.post("/unfollow/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def unfollow_user(username, v): @@ -886,7 +886,7 @@ def unfollow_user(username, v): return {"message": f"@{target.username} has been unfollowed!"} @app.post("/remove_follow/") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @ratelimit_user() @auth_required def remove_follow(username, v): @@ -1082,7 +1082,7 @@ kofi_tiers={ } @app.post("/settings/kofi") -@limiter.limit("1/second;30/minute;200/hour;1000/day") +@limiter.limit(DEFAULT_RATELIMIT_SLOWER) @auth_required def settings_kofi(v): if not (v.email and v.is_activated):