Add latest changes from gitlab-org/security/gitlab@13-4-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-10-01 01:14:30 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-10-01 01:14:30 +0300
commit: 4d243f5ca3709f28f9de96937e3c2ac736deb4bd (patch)
tree: 1497701e95f387e46db5311ca12be41c00fed836 /app/controllers/profiles
parent: 516fba52cf280b9d5bad08dce9f0150f859b6cea (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/app/controllers/profiles/emails_controller.rb b/app/controllers/profiles/emails_controller.rb
index f666a1150a6..da553e34ef6 100644
--- a/app/controllers/profiles/emails_controller.rb
+++ b/app/controllers/profiles/emails_controller.rb
@@ -2,6 +2,8 @@
 
 class Profiles::EmailsController < Profiles::ApplicationController
   before_action :find_email, only: [:destroy, :resend_confirmation_instructions]
+  before_action -> { rate_limit!(:profile_add_new_email) }, only: [:create]
+  before_action -> { rate_limit!(:profile_resend_email_confirmation) }, only: [:resend_confirmation_instructions]
 
   def index
     @primary_email = current_user.email
@@ -38,6 +40,16 @@ class Profiles::EmailsController < Profiles::ApplicationController
 
   private
 
+  def rate_limit!(action)
+    rate_limiter = ::Gitlab::ApplicationRateLimiter
+
+    if rate_limiter.throttled?(action, scope: current_user)
+      rate_limiter.log_request(request, action, current_user)
+
+      redirect_back_or_default(options: { alert: _('This action has been performed too many times. Try again later.') })
+    end
+  end
+
   def email_params
     params.require(:email).permit(:email)
   end
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-10-01 01:14:30 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-10-01 01:14:30 +0300
commit	4d243f5ca3709f28f9de96937e3c2ac736deb4bd (patch)
tree	1497701e95f387e46db5311ca12be41c00fed836 /app/controllers/profiles
parent	516fba52cf280b9d5bad08dce9f0150f859b6cea (diff)