Rate limit email blast from Admin area (#31509) · Issues · GitLab.org / GitLab

Rate limit email blast from Admin area

Summary

As per @manojmj's comment in https://gitlab.com/gitlab-org/manage/issues/62#note_206297931

Admins can send an email blast to users from the admin area. Currently, there are no limits to this. Although admins are assumed to be good actors, even with good intent, sending an email blast to a lot of users can hold up the job queues and cause delays in other jobs. Do you think this feature should also have rate-limiting?

Proposal

Rate limit the frequency of sending instance-wide emails from the admin panel (/admin/email).

I think this is UI only and there's no relevant GitLab API for this.

Proposed rate limit: 1x every 10 minutes.

Present an error banner to the user when this limit is violated, displaying the number of minutes remaining until they're able to send another blast.

Ideas

We could consider rate-limiting this action, preferably not on the number of emails, because there could be a genuine case to send emails to all users, but on the frequency of the action itself (as an example: email blasts can be sent by admin only once in 30 minutes, irrespective of the number of users)
If we decide we don't want to expose limits, we can still help the admin a lot - e.g. by showing a warning that such action might have adverse effects on instance performance.

The issue is marked as confidential as the lack of limits could potentially be abused.

Issue readiness

Product: issue description is accurate with an acceptable proposal for an MVC
Engineering: issue is implementable with few remaining questions, is sufficiently broken down, and is able to be estimated

### Summary

As per @manojmj's comment in https://gitlab.com/gitlab-org/manage/issues/62#note_206297931

### Proposal

Rate limit the frequency of sending instance-wide emails from the admin panel (`/admin/email`). 
* I think this is UI only and there's no relevant GitLab API for this.

Proposed rate limit: 1x every 10 minutes.
* Present an error banner to the user when this limit is violated, displaying the number of minutes remaining until they're able to send another blast.

### Ideas

* We could consider rate-limiting this action, preferably not on the number of emails, because there could be a genuine case to send emails to all users, but on the frequency of the action itself (as an example: email blasts can be sent by admin only once in 30 minutes, irrespective of the number of users)
* If we decide we don't want to expose limits, we can still help the admin a lot - e.g. by showing a warning that such action might have adverse effects on instance performance.

The issue is marked as confidential as the lack of limits could *potentially* be abused.

## Issue readiness

* [x]  Product: issue description is accurate with an acceptable proposal for an MVC
* [x]  Engineering: issue is implementable with few remaining questions, is sufficiently broken down, and is able to be estimated

Edited Apr 17, 2020 by Liam McAndrew