Should blank values be allowed ? about django-ratelimit HOT 4 CLOSED

I have a similar issue but instead of "blank values" being the issue, it's the more general "invalid values". Right now, if someone posts a form with invalid data, the server returns errors and then the user has a chance to post again ... but since it's ratelimited they fix the values and then it fails.

I have a bug to rewrite the code for the view, but I haven't figured out how to use the is_ratelimited helper in a way that lets me check to see if it's already rate limited (no side-effects) and if not, then does the view code and at the end of everything updates the rate limiting counters.

I don't think an arg for the ratelimit decorator to count empty values is a good idea, but it'd help to separate the check-and-update stages to before and after the view executes with maybe some "should we update?" check.

from django-ratelimit.

I disagree that it's clear that you'd only ratelimit valid-but-wrong or invalid. Validation itself may be slow. If I'm, for example, protecting a password form, and password checking is a slow, CPU-/memory-bound process (as it should be) then submitting a ton of values is a DOS vector—it's not just an issue of account protection.

@willkg is_ratelimited(increment=False)

@bitcity This is why block=False is the default. For a login form, it's almost certainly better to add a CAPTCHA or some other passable check rather than blocking a user entirely. If you block them entirely, I can stop them from logging in by sending a bunch of phony attempts with their username.

from django-ratelimit.

More broadly, pulling out utils.is_ratelimited is specifically to enable users to do more complicated logic around what should count as "an attempt".

from django-ratelimit.

@willkg is_ratelimited(increment=False)

Hot diggity dog! You're the best!

from django-ratelimit.