Add perm to demote user to anon throttle rate

keshav-space · keshav-space · commit 94dd104efa74 · 2025-07-01T17:28:13.000+05:30
Signed-off-by: Keshav Priyadarshi &lt;git@keshav.space&gt;
diff --git a/vulnerabilities/migrations/0093_alter_apiuser_options.py b/vulnerabilities/migrations/0093_alter_apiuser_options.py
@@ -1,4 +1,4 @@
-# Generated by Django 4.2.22 on 2025-06-13 08:07
+# Generated by Django 4.2.22 on 2025-06-13 12:44
 
 from django.db import migrations
 
@@ -14,9 +14,10 @@ class Migration(migrations.Migration):
             name="apiuser",
             options={
                 "permissions": [
-                    ("throttle_unrestricted", "Exempt from API throttling limits"),
-                    ("throttle_18000_hour", "Can make 18000 API requests per hour"),
-                    ("throttle_14400_hour", "Can make 14400 API requests per hour"),
+                    ("throttle_unrestricted", "Can make api requests without throttling limits"),
+                    ("throttle_18000_hour", "Can make 18000 api requests per hour"),
+                    ("throttle_14400_hour", "Can make 14400 api requests per hour"),
+                    ("throttle_3600_hour", "Can make 3600 api requests per hour"),
                 ]
             },
         ),
diff --git a/vulnerabilities/models.py b/vulnerabilities/models.py
@@ -1497,9 +1497,10 @@ class ApiUser(UserModel):
     class Meta:
         proxy = True
         permissions = [
-            ("throttle_unrestricted", "Exempt from API throttling limits"),
-            ("throttle_18000_hour", "Can make 18000 API requests per hour"),
-            ("throttle_14400_hour", "Can make 14400 API requests per hour"),
+            ("throttle_unrestricted", "Can make api requests without throttling limits"),
+            ("throttle_18000_hour", "Can make 18000 api requests per hour"),
+            ("throttle_14400_hour", "Can make 14400 api requests per hour"),
+            ("throttle_3600_hour", "Can make 3600 api requests per hour"),
         ]
 
 
diff --git a/vulnerabilities/tests/test_throttling.py b/vulnerabilities/tests/test_throttling.py
@@ -41,10 +41,18 @@ def setUp(self):
         # See https://www.django-rest-framework.org/api-guide/throttling/#setting-up-the-cache
         cache.clear()
 
+        permission_3600 = Permission.objects.get(codename="throttle_3600_hour")
         permission_14400 = Permission.objects.get(codename="throttle_14400_hour")
         permission_18000 = Permission.objects.get(codename="throttle_18000_hour")
         permission_unrestricted = Permission.objects.get(codename="throttle_unrestricted")
 
+        # user with 3600/hour permission
+        self.th_3600_user = ApiUser.objects.create_api_user(username="z@mail.com")
+        self.th_3600_user.user_permissions.add(permission_3600)
+        self.th_3600_user_auth = f"Token {self.th_3600_user.auth_token.key}"
+        self.th_3600_user_csrf_client = APIClient(enforce_csrf_checks=True)
+        self.th_3600_user_csrf_client.credentials(HTTP_AUTHORIZATION=self.th_3600_user_auth)
+
         # basic user without any special throttling perm
         self.basic_user = ApiUser.objects.create_api_user(username="a@mail.com")
         self.basic_user_auth = f"Token {self.basic_user.auth_token.key}"
@@ -77,6 +85,20 @@ def setUp(self):
         self.csrf_client_anon = APIClient(enforce_csrf_checks=True)
         self.csrf_client_anon_1 = APIClient(enforce_csrf_checks=True)
 
+    def test_user_with_3600_perm_throttling(self):
+        simulate_throttle_usage(
+            url="/api/packages",
+            client=self.th_3600_user_csrf_client,
+            mock_use_count=3599,
+        )
+
+        response = self.th_3600_user_csrf_client.get("/api/packages")
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        # exhausted 3600/hr allowed requests.
+        response = self.th_3600_user_csrf_client.get("/api/packages")
+        self.assertEqual(response.status_code, status.HTTP_429_TOO_MANY_REQUESTS)
+
     def test_basic_user_throttling(self):
         simulate_throttle_usage(
             url="/api/packages",
@@ -87,7 +109,7 @@ def test_basic_user_throttling(self):
         response = self.basic_user_csrf_client.get("/api/packages")
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
-        # exhausted 10800/hr allowed requests for basic user.
+        # exhausted 10800/hr allowed requests.
         response = self.basic_user_csrf_client.get("/api/packages")
         self.assertEqual(response.status_code, status.HTTP_429_TOO_MANY_REQUESTS)
 
diff --git a/vulnerabilities/throttling.py b/vulnerabilities/throttling.py
@@ -13,6 +13,12 @@
 
 
 class PermissionBasedUserRateThrottle(UserRateThrottle):
+    """
+    Throttle authenticated users based on their assigned permissions.
+    If no throttling permission is assigned, default to rate for `user`
+    scope provided via `DEFAULT_THROTTLE_RATES` in settings.py.
+    """
+
     def allow_request(self, request, view):
         user = request.user
 
@@ -23,6 +29,8 @@ def allow_request(self, request, view):
                 self.rate = "18000/hour"
             elif user.has_perm("vulnerabilities.throttle_14400_hour"):
                 self.rate = "14400/hour"
+            elif user.has_perm("vulnerabilities.throttle_3600_hour"):
+                self.rate = "3600/hour"
 
             self.num_requests, self.duration = self.parse_rate(self.rate)
 
