fix: make rate_limiter respect multitenancy (#24634)

* fix: make rate_limiter respect multitenancy * fix: lower rate limit window for password reset * refactor: Use redis_wrapper
2024-01-31 14:46:27 +05:30 · 2024-01-31 14:46:27 +05:30 · a25e68a763
commit a25e68a763
parent 53d6d156ec
4 changed files with 3 additions and 4 deletions
--- a/frappe/core/doctype/server_script/test_server_script.py
+++ b/frappe/core/doctype/server_script/test_server_script.py
@ -238,7 +238,6 @@ frappe.qb.from_(todo).select(todo.name).where(todo.name == "{todo.name}").run()
 		script.execute_method()

 	def test_server_script_rate_limiting(self):
-		# why not
 		script1 = frappe.get_doc(
 			doctype="Server Script",
 			name="rate_limited_server_script",
--- a/frappe/core/doctype/user/user.py
+++ b/frappe/core/doctype/user/user.py
@ -1018,7 +1018,7 @@ def sign_up(email: str, full_name: str, redirect_to: str) -> tuple[int, str]:


@frappe.whitelist(allow_guest=True)
-@rate_limit(limit=get_password_reset_limit, seconds=24 * 60 * 60)
+@rate_limit(limit=get_password_reset_limit, seconds=60 * 60)
 def reset_password(user: str) -> str:
 	if user == "Administrator":
 		return "not allowed"
--- a/frappe/rate_limiter.py
+++ b/frappe/rate_limiter.py
@ -138,7 +138,7 @@ def rate_limit(
 			if not identity:
 				frappe.throw(_("Either key or IP flag is required."))

-			cache_key = f"rl:{frappe.form_dict.cmd}:{identity}"
+			cache_key = frappe.cache.make_key(f"rl:{frappe.form_dict.cmd}:{identity}")

 			value = frappe.cache.get(cache_key)
 			if not value:
--- a/frappe/utils/password.py
+++ b/frappe/utils/password.py
@ -215,4 +215,4 @@ def get_encryption_key():


 def get_password_reset_limit():
-	return frappe.db.get_single_value("System Settings", "password_reset_limit") or 0
+	return frappe.get_system_settings("password_reset_limit") or 3