4.36.7

2023-12-21 12:00:09 +00:00 · 2023-12-21 12:00:09 +00:00 · 2372b8f50f
commit 2372b8f50f
parent f3050b2ca0
4 changed files with 10 additions and 7 deletions
--- a/app/app/api/views/alias.py
+++ b/app/app/api/views/alias.py
@ -31,6 +31,7 @@ from app.models import Alias, Contact, Mailbox, AliasMailbox
@deprecated
@api_bp.route("/aliases", methods=["GET", "POST"])
@require_api_auth
+@limiter.limit("10/minute", key_func=lambda: g.user.id)
 def get_aliases():
    """
    Get aliases
@ -72,10 +73,8 @@ def get_aliases():


@api_bp.route("/v2/aliases", methods=["GET", "POST"])
-@limiter.limit(
-    "5/minute",
-)
@require_api_auth
+@limiter.limit("10/minute", key_func=lambda: g.user.id)
 def get_aliases_v2():
    """
    Get aliases
--- a/app/app/dashboard/views/custom_alias.py
+++ b/app/app/dashboard/views/custom_alias.py
@ -24,6 +24,7 @@ from app.models import (
    AliasMailbox,
    DomainDeletedAlias,
 )
+from app.utils import CSRFValidationForm


@dashboard_bp.route("/custom_alias", methods=["GET", "POST"])
@ -48,9 +49,13 @@ def custom_alias():
            at_least_a_premium_domain = True
            break

+    csrf_form = CSRFValidationForm()
    mailboxes = current_user.mailboxes()

    if request.method == "POST":
+        if not csrf_form.validate():
+            flash("Invalid request", "warning")
+            return redirect(request.url)
        alias_prefix = request.form.get("prefix").strip().lower().replace(" ", "")
        signed_alias_suffix = request.form.get("signed-alias-suffix")
        mailbox_ids = request.form.getlist("mailboxes")
@ -164,4 +169,5 @@ def custom_alias():
        alias_suffixes=alias_suffixes,
        at_least_a_premium_domain=at_least_a_premium_domain,
        mailboxes=mailboxes,
+        csrf_form=csrf_form,
    )
--- a/app/app/dashboard/views/index.py
+++ b/app/app/dashboard/views/index.py
@ -57,10 +57,7 @@ def get_stats(user: User) -> Stats:
    methods=["POST"],
    exempt_when=lambda: request.form.get("form-name") != "create-random-email",
 )
-@limiter.limit(
-    "5/minute",
-    methods=["GET"],
-)
+@limiter.limit("10/minute", methods=["GET"], key_func=lambda: current_user.id)
@login_required
@parallel_limiter.lock(
    name="alias_creation",
--- a/app/templates/dashboard/custom_alias.html
+++ b/app/templates/dashboard/custom_alias.html
@ -93,6 +93,7 @@
        </div>
        <div class="row">
          <div class="col p-1">
+            {{ csrf_form.csrf_token }}
            <button type="submit" id="create" class="btn btn-primary mt-1">Create</button>
          </div>
        </div>