Skip to content

Commit

Permalink
Modernize rate limiting of sendMessage
Browse files Browse the repository at this point in the history 
- use permissions instead of roles
  (new permission is introduced)
- port to RateLimiter facade

The latter is necessary to keep tests passing.
  • Loading branch information
@jangmarker
jangmarker committed Jul 6, 2017
1 parent a3b64c0 commit eafba82
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 9 deletions.
1 change: 1 addition & 0 deletions packages/rocketchat-authorization/server/startup.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ Meteor.startup(function() {
{ _id: 'run-migration', roles : ['admin'] },
{ _id: 'set-moderator', roles : ['admin', 'owner'] },
{ _id: 'set-owner', roles : ['admin', 'owner'] },
{ _id: 'send-many-messages', roles : ['admin', 'bot'] },
{ _id: 'unarchive-room', roles : ['admin'] },
{ _id: 'view-c-room', roles : ['admin', 'user', 'bot', 'anonymous'] },
{ _id: 'user-generate-access-token', roles : ['admin'] },
Expand Down
12 changes: 3 additions & 9 deletions packages/rocketchat-lib/server/methods/sendMessage.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,14 +68,8 @@ Meteor.methods({
}
});
// Limit a user, who does not have the "bot" role, to sending 5 msgs/second
DDPRateLimiter.addRule({
type: 'method',
name: 'sendMessage',
RocketChat.RateLimiter.limitMethod('sendMessage', 5, 1000, {
userId(userId) {
const user = RocketChat.models.Users.findOneById(userId);
if (user == null || !user.roles) {
return true;
}
return user.roles.includes('bot');
return !RocketChat.authz.hasPermission(userId, 'send-many-messages');
}
}, 5, 1000);
});

0 comments on commit eafba82

Please sign in to comment.