Merge pull request #50905 from nextcloud/fix/rate-limit-share-creation

Author: skjnldsv

apps/files_sharing/lib/Controller/ShareAPIController.php

@@ -558,6 +558,7 @@ public function deleteShare(string $id): DataResponse {
 	 * 200: Share created
 	 */
 	#[NoAdminRequired]
+	#[UserRateLimit(limit: 20, period: 600)]
 	public function createShare(
 		?string $path = null,
 		?int $permissions = null,
@@ -2150,7 +2151,7 @@ private function checkInheritedAttributes(IShare $share): void {
 	 * 200: The email notification was sent successfully
 	 */
 	#[NoAdminRequired]
-	#[UserRateLimit(limit: 5, period: 120)]
+	#[UserRateLimit(limit: 10, period: 600)]
 	public function sendShareEmail(string $id, $password = ''): DataResponse {
 		try {
 			$share = $this->getShareById($id);

build/integration/config/behat.yml

@@ -243,3 +243,14 @@ default:
             regular_user_password: 123456
         - RemoteContext:
             remote: http://localhost:8080
+
+    ratelimiting:
+      paths:
+        - "%paths.base%/../ratelimiting_features"
+      contexts:
+        - RateLimitingContext:
+            baseUrl: http://localhost:8080
+            admin:
+              - admin
+              - admin
+            regular_user_password: 123456

build/integration/features/bootstrap/RateLimitingContext.php

@@ -0,0 +1,30 @@
+<?php
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+use Behat\Behat\Context\Context;
+
+class RateLimitingContext implements Context {
+	use BasicStructure;
+	use CommandLine;
+	use Provisioning;
+
+	/**
+	 * @BeforeScenario @RateLimiting
+	 */
+	public function enableRateLimiting() {
+		// Enable rate limiting for the tests.
+		// Ratelimiting is disabled by default, so we need to enable it
+		$this->runOcc(['config:system:set', 'ratelimit.protection.enabled', '--value', 'true', '--type', 'bool']);
+	}
+
+	/**
+	 * @AfterScenario @RateLimiting
+	 */
+	public function disableRateLimiting() {
+		// Restore the default rate limiting configuration.
+		// Ratelimiting is disabled by default, so we need to disable it
+		$this->runOcc(['config:system:set', 'ratelimit.protection.enabled', '--value', 'false', '--type', 'bool']);
+	}
+}

build/integration/features/ratelimiting.feature renamed to build/integration/ratelimiting_features/ratelimiting.feature

@@ -1,5 +1,6 @@
 # SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors
 # SPDX-License-Identifier: AGPL-3.0-or-later
+@RateLimiting
 Feature: ratelimiting
 
   Background:

build/integration/run.sh

@@ -20,6 +20,8 @@ INSTALLED=$($OCC status | grep installed: | cut -d " " -f 5)
 if [ "$INSTALLED" == "true" ]; then
     # Disable bruteforce protection because the integration tests do trigger them
     $OCC config:system:set auth.bruteforce.protection.enabled --value false --type bool
+    # Disable rate limit protection because the integration tests do trigger them
+    $OCC config:system:set ratelimit.protection.enabled --value false --type bool
     # Allow local remote urls otherwise we can not share
     $OCC config:system:set allow_local_remote_servers --value true --type bool
     # Allow self signed certificates