From 40f820470a4ad1106207aca4583c8531c5a4a6c6 Mon Sep 17 00:00:00 2001 From: Andrey Borysenko Date: Thu, 11 Jul 2024 13:18:03 +0300 Subject: [PATCH] chore: use "app_api" session key, "app_api_system" is deprecated Signed-off-by: Andrey Borysenko --- .../Middleware/Security/RateLimitingMiddleware.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php b/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php index d593bf5019fca..511ee3fc28a8b 100644 --- a/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php @@ -11,6 +11,7 @@ use OC\AppFramework\Utility\ControllerMethodReflector; use OC\Security\RateLimiting\Exception\RateLimitExceededException; use OC\Security\RateLimiting\Limiter; +use OC\User\Session; use OCP\AppFramework\Controller; use OCP\AppFramework\Http\Attribute\AnonRateLimit; use OCP\AppFramework\Http\Attribute\ARateLimit; @@ -63,8 +64,8 @@ public function beforeController(Controller $controller, string $methodName): vo parent::beforeController($controller, $methodName); $rateLimitIdentifier = get_class($controller) . '::' . $methodName; - if ($this->session->exists('app_api_system')) { - // Bypass rate limiting for app_api + if ($this->userSession instanceof Session && $this->userSession->getSession()->get('app_api') === true && $this->userSession->getUser() === null) { + // if userId is not specified and the request is authenticated by AppAPI, we skip the rate limit return; }