Test throttling behavior for user in group

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

Author: keshav-space

vulnerabilities/tests/test_throttling.py

@@ -9,6 +9,7 @@
 
 import json
 
+from django.contrib.auth.models import Group
 from django.contrib.auth.models import Permission
 from django.core.cache import cache
 from rest_framework import status
@@ -77,6 +78,16 @@ def setUp(self):
             HTTP_AUTHORIZATION=self.th_unrestricted_user_auth
         )
 
+        # unrestricted throttling for group user
+        group, _ = Group.objects.get_or_create(name="Test Unrestricted")
+        group.permissions.add(permission_unrestricted)
+
+        self.th_group_user = ApiUser.objects.create_api_user(username="g@mail.com")
+        self.th_group_user.groups.add(group)
+        self.th_group_user_auth = f"Token {self.th_group_user.auth_token.key}"
+        self.th_group_user_csrf_client = APIClient(enforce_csrf_checks=True)
+        self.th_group_user_csrf_client.credentials(HTTP_AUTHORIZATION=self.th_group_user_auth)
+
         self.csrf_client_anon = APIClient(enforce_csrf_checks=True)
         self.csrf_client_anon_1 = APIClient(enforce_csrf_checks=True)
 
@@ -147,6 +158,17 @@ def test_user_with_unrestricted_perm_throttling(self):
         response = self.th_unrestricted_user_csrf_client.get("/api/packages")
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
+    def test_user_in_group_with_unrestricted_perm_throttling(self):
+        simulate_throttle_usage(
+            url="/api/packages",
+            client=self.th_group_user_csrf_client,
+            mock_use_count=20000,
+        )
+
+        # no throttling for user in group with unrestricted perm.
+        response = self.th_group_user_csrf_client.get("/api/packages")
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
     def test_anon_throttling(self):
         simulate_throttle_usage(
             url="/api/packages",

vulnerablecode/settings.py

@@ -190,16 +190,16 @@
 LOGIN_REDIRECT_URL = "/"
 LOGOUT_REDIRECT_URL = "/"
 
-THROTTLE_RATES_ANON = env.str("THROTTLE_RATES_ANON", default="3600/hour")
-THROTTLE_RATES_USER_HIGH = env.str("THROTTLE_RATES_USER_HIGH", default="18000/hour")
-THROTTLE_RATES_USER_MEDIUM = env.str("THROTTLE_RATES_USER_MEDIUM", default="14400/hour")
-THROTTLE_RATES_USER_LOW = env.str("THROTTLE_RATES_USER_LOW", default="10800/hour")
+THROTTLE_RATE_ANON = env.str("THROTTLE_RATE_ANON", default="3600/hour")
+THROTTLE_RATE_USER_HIGH = env.str("THROTTLE_RATE_USER_HIGH", default="18000/hour")
+THROTTLE_RATE_USER_MEDIUM = env.str("THROTTLE_RATE_USER_MEDIUM", default="14400/hour")
+THROTTLE_RATE_USER_LOW = env.str("THROTTLE_RATE_USER_LOW", default="10800/hour")
 
 REST_FRAMEWORK_DEFAULT_THROTTLE_RATES = {
-    "anon": THROTTLE_RATES_ANON,
-    "low": THROTTLE_RATES_USER_LOW,
-    "medium": THROTTLE_RATES_USER_MEDIUM,
-    "high": THROTTLE_RATES_USER_HIGH,
+    "anon": THROTTLE_RATE_ANON,
+    "low": THROTTLE_RATE_USER_LOW,
+    "medium": THROTTLE_RATE_USER_MEDIUM,
+    "high": THROTTLE_RATE_USER_HIGH,
 }