Merge branch 'fix-project-export-download-rate-limit-api' into 'master'

Apply scope fix for throttling project export downloads to the API See merge request !84754

Merge branch 'fix-project-export-download-rate-limit-api' into 'master'
d2b2e94e · Pavel Shutsin · 750f979e · 08f8c37b · d2b2e94e · d2b2e94e
Commit d2b2e94e authored 2 years ago by Pavel Shutsin
--- a/lib/api/project_export.rb
+++ b/lib/api/project_export.rb
@@ -25,7 +25,7 @@ class ProjectExport < ::API::Base
        detail 'This feature was introduced in GitLab 10.6.'
      end
      get ':id/export/download' do
-        check_rate_limit! :project_download_export, scope: [current_user, user_project]
+        check_rate_limit! :project_download_export, scope: [current_user, user_project.namespace]

        if user_project.export_file_exists?
          if user_project.export_archive_exists?

--- a/spec/requests/api/project_export_spec.rb
+++ b/spec/requests/api/project_export_spec.rb
@@ -260,6 +260,29 @@
            expect(json_response['message']['error']).to eq('This endpoint has been requested too many times. Try again later.')
          end
        end
+
+        context 'applies correct scope when throttling' do
+          before do
+            stub_application_setting(project_download_export_limit: 1)
+          end
+
+          it 'throttles downloads within same namespaces' do
+            # simulate prior request to the same namespace, which increments the rate limit counter for that scope
+            Gitlab::ApplicationRateLimiter.throttled?(:project_download_export, scope: [user, project_finished.namespace])
+
+            get api(download_path_finished, user)
+            expect(response).to have_gitlab_http_status(:too_many_requests)
+          end
+
+          it 'allows downloads from different namespaces' do
+            # simulate prior request to a different namespace, which increments the rate limit counter for that scope
+            Gitlab::ApplicationRateLimiter.throttled?(:project_download_export,
+              scope: [user, create(:project, :with_export).namespace])
+
+            get api(download_path_finished, user)
+            expect(response).to have_gitlab_http_status(:ok)
+          end
+        end
      end

      context 'when user is a maintainer' do