This changeset updates the ratelimiting middleware to apply a less strict limit on requests made by authenticated staff users (ie, those with Wagtail CMS access). This is so that things like the image search typeahead isn't blocked so readily.
The initial value for the admin-user rate limiting is now 60 requests per minute, up from 25 per minute (which remains the default for unauthenticated users).
Note that the user has to be both authenticated AND a staff/admin user to not be treated as a regular public user. At the moment, all our authenticated users are staff, but this may not always be the case.
Tests have been extended to prove this is working as expected, plus manual checks have been done, but it's still possible that we need to increase the admin-user limit further, or simply remove it and keep it only for unauthenticated users.
How to test
code is deployed to staging
as an unauthenticated user (eg in an incognitio window) repeatedly load a non-CMS page from staging - eg the homepage. It should rate limit on the 26th request, if you're fast enough
as an authenticated user, in admin, you are now allowed more requests per minute, which should not get in the way of your editing/content work. Please check things that previously tripped the rate limiter.
The image-search typeahead will, for instance, still hit it if you enter 61 characters one by one
@valgrimm Am still quite tempted to remove the rate limiting for authenticated staff users altogether -- I know you were keen to keep it and only relax it, but having implemented this to bucket users as either public or authenticated staff, we could drop the limit altogether for the staff users and we'd still be running rate limiting against someone unauthenticated pointlessly hammering at the admin login screen
This changeset updates the ratelimiting middleware to apply a less strict limit on requests made by authenticated staff users (ie, those with Wagtail CMS access). This is so that things like the image search typeahead isn't blocked so readily.
The initial value for the admin-user rate limiting is now 60 requests per minute, up from 25 per minute (which remains the default for unauthenticated users).
Note that the user has to be both authenticated AND a staff/admin user to not be treated as a regular public user. At the moment, all our authenticated users are staff, but this may not always be the case.
Tests have been extended to prove this is working as expected, plus manual checks have been done, but it's still possible that we need to increase the admin-user limit further, or simply remove it and keep it only for unauthenticated users.
How to test
@valgrimm Am still quite tempted to remove the rate limiting for authenticated staff users altogether -- I know you were keen to keep it and only relax it, but having implemented this to bucket users as either public or authenticated staff, we could drop the limit altogether for the staff users and we'd still be running rate limiting against someone unauthenticated pointlessly hammering at the admin login screen
Snippets from manual testing:
Public rate limiting still working:
Admin rate limiting does kick in, just after more queries: