Rate limiting for GET /api/:version/groups/:id when the projects member is requested
What does this MR do and why?
GET /api/v4/groups/:id?with_projects=true
is deprecated (albeit the default behaviour, for backward compatibility reasons); it includes the projects
member in the returned API response. That's expensive to calculate and is generally unnecessary - other endpoints let you access the same information in a more efficient manner.
Limiting requests to deprecated API endpoints is a way to induce users to switch to the non-deprecated alternatives. We can add more endpoints over time.
This MR is closely based on the work done for https://gitlab.com/gitlab-org/gitlab/-/issues/335075 - in fact, it's almost entirely a copy-paste of these four MRs:
- Database migration MR <== !68559 (merged)
- Throttling configuration form in Admin Area MR: !68560 (merged)
- Rack attack configuration MR: !68561 (merged)
- Documentation update: !68645 (merged)
I could submit it as four separate commits in four separate MRs, and will if the combination seems unmanageable. For now, it's split into a commit for each of the MRs listed above.
Screenshots or screen recordings
How to set up and validate locally
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #337829 (closed)