Add throttling to contact api endpoint

rdmorganiser · Jan 21, 2025 · 46464f6 · 46464f6
1 parent 0d35cd4
commit 46464f6
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 5 deletions.
diff --git a/rdmo/core/assets/js/api/BaseApi.js b/rdmo/core/assets/js/api/BaseApi.js
@@ -19,6 +19,12 @@ function BadRequestError(errors) {
   this.errors = errors
 }
 
+function ThrottlingError(errors) {
+  this.errors = {
+    throttling: errors.detail
+  }
+}
+
 class BaseApi {
 
   static get(url) {
@@ -31,6 +37,10 @@ class BaseApi {
         return response.json().then(errors => {
           throw new BadRequestError(errors)
         })
+      } else if (response.status === 429) {
+        return response.json().then(errors => {
+          throw new ThrottlingError(errors)
+        })
       } else {
         throw new ApiError(response.statusText, response.status)
       }
@@ -59,6 +69,10 @@ class BaseApi {
         return response.json().then(errors => {
           throw new ValidationError(errors)
         })
+      } else if (response.status === 429) {
+        return response.json().then(errors => {
+          throw new ThrottlingError(errors)
+        })
       } else {
         throw new ApiError(response.statusText, response.status)
       }

diff --git a/rdmo/core/settings.py b/rdmo/core/settings.py
@@ -164,8 +164,8 @@
 
 CACHES = {
     'default': {
-        'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
-        'LOCATION': 'rdmo_default'
+        'BACKEND': 'django.core.cache.backends.db.DatabaseCache',
+        'LOCATION': 'django_cache'
     }
 }
 
@@ -180,7 +180,10 @@
     ),
     'DEFAULT_RENDERER_CLASSES': (
         'rest_framework.renderers.JSONRenderer',
-    )
+    ),
+    'DEFAULT_THROTTLE_RATES': {
+        'email': '1/minute'
+    }
 }
 
 SETTINGS_EXPORT = [

diff --git a/rdmo/core/throttling.py b/rdmo/core/throttling.py
@@ -0,0 +1,8 @@
+from rest_framework.throttling import UserRateThrottle
+
+
+class EmailThrottle(UserRateThrottle):
+    scope = 'email'
+
+    def allow_request(self, request, view):
+        return request.method == 'GET' or super().allow_request(request, view)
diff --git a/rdmo/projects/assets/js/interview/components/main/Contact.js b/rdmo/projects/assets/js/interview/components/main/Contact.js
@@ -31,7 +31,7 @@ const Contact = ({ templates, contact, sendContact, closeContact }) => {
           bsSize: 'lg'
         }}>
           <Html html={templates.project_interview_contact_help} />
-          <form onSubmit={onSubmit}>
+          <form className="mb-0" onSubmit={onSubmit}>
             <div className="form-group">
               <label htmlFor="interview-question-contact-subject">Subject</label>
               <input
@@ -66,6 +66,13 @@ const Contact = ({ templates, contact, sendContact, closeContact }) => {
                 }
               </ul>
             </div>
+            {
+              errors && errors.throttling && (
+                <ul className="help-block list-unstyled mb-0">
+                  <li className="text-danger">{errors.throttling}</li>
+                </ul>
+              )
+            }
           </form>
       </Modal>
     </>

diff --git a/rdmo/projects/viewsets.py b/rdmo/projects/viewsets.py
@@ -22,6 +22,7 @@
 
 from rdmo.conditions.models import Condition
 from rdmo.core.permissions import HasModelPermission
+from rdmo.core.throttling import EmailThrottle
 from rdmo.core.utils import human2bytes, is_truthy, return_file_response
 from rdmo.options.models import OptionSet
 from rdmo.questions.models import Catalog, Page, Question, QuestionSet
@@ -329,7 +330,8 @@ def visibility(self, request, pk=None):
         raise Http404
 
     @action(detail=True, methods=['get', 'post'],
-            permission_classes=(HasModelPermission | HasProjectPermission, ))
+            permission_classes=(HasModelPermission | HasProjectPermission, ),
+            throttle_classes=[EmailThrottle])
     def contact(self, request, pk):
         if settings.PROJECT_CONTACT:
             if request.method == 'POST':