ion icon indicating copy to clipboard operation
ion copied to clipboard

Published 20 hours ago verified publisher icon tjcsl

feat(printing): add rate limit to print job requests (closes tjcsl#662)

Open aarushtools opened this issue 1 year ago • 10 comments
trafficstars

Proposed changes

  • Add a rate limit of 10 POST requests per minute to ion printing
  • Fix some linting errors from previous contributors in the printing/views.py file so checks can pass

Brief description of rationale

Blocks excessive printing by users to prevent abuse or overload of the printers

aarushtools avatar Apr 28 '24 21:04 aarushtools

Coverage Status

coverage: 79.376% (-0.09%) from 79.468% when pulling bbbb0f01c170c1ae53cf5464cdaf1e8db5ff547c on aarushtools:dev into f164994ae3be5ae4e619c13fb56e9fe85bb5bd22 on tjcsl:dev.

coveralls avatar Apr 28 '24 21:04 coveralls

I think 2 requests / 5 minutes is a good ratelimit for successful POST requests.

I don't think turning the printing view into an API view is a good idea. It doesn't give a good error screen when the requests are throttled. Instead, the user should be presented with a good error screen, perhaps using the messages module we already have, and told they cannot print more than twice every 5 minutes. Perhaps you will find another package to accomplish this, but keep in mind only successful POST requests should be tracked. Otherwise, you may need to write your own backend and model for this.

alanzhu0 avatar May 02 '24 13:05 alanzhu0

I tried to use django-ratelimit but decided that the package is just not meant to do what I was looking for and decided to use caching to make a sort of DIY ratelimit. I implemented the django cache system into two functions that I check for directly in the print_job function. The cache key holds an int that is incremented each time a request is made, and it expires in 300 seconds or 5 minutes.

aarushtools avatar May 03 '24 01:05 aarushtools

Done 👍 I put those variables in the main settings file for everything

aarushtools avatar May 04 '24 22:05 aarushtools

This is great! Last few comments:

  • Can you write some text on the printing page alerting users to the ratelimit? Use the variables from the settings file.
  • Can you make the ratelimit not apply to administrators (admin_all)? Still send a message along the lines of "you have reached the ratelimit of 2 req / 5 min, but since you are an administrator it will still go through." (for debugging purposes).
  • Same thing for teachers - except don't send the message. So no ratelimit at all for teachers. While you're at it, maybe increase the number of pages teachers can print? 50 is probably a good value. That can go in settings too.

alanzhu0 avatar May 11 '24 02:05 alanzhu0

Everything implemented except for point 2 (partially). I use logger.error() to send a message since messages.error requires request as a property, which I don't have access to in the print_job function. I could add request to the obj object or as a param for the print_job func, but I think that isn't really necessary (but I can still do it if you believe it's the best way)

aarushtools avatar May 18 '24 00:05 aarushtools

That's fine. Good call. Almost ready to merge, I'm assuming you'll fix CI, last thing it looks like "WizardoWaldo" (your alt?) is included in the commit. I don't really care about that but if you do you might want to take that off.

alanzhu0 avatar May 18 '24 00:05 alanzhu0

Yea, sorry about that I'm trying to fix it. Pushing using the PyCharm gui did that for some reason

aarushtools avatar May 18 '24 00:05 aarushtools

Very very close. Sorry for all the comments about small details.

No worries, hopefully it's all good now 👍

aarushtools avatar May 20 '24 16:05 aarushtools

Logic looks good now, just resolve the merge conflicts

alanzhu0 avatar Jul 05 '24 20:07 alanzhu0