From 4d243f5ca3709f28f9de96937e3c2ac736deb4bd Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 30 Sep 2020 22:14:30 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@13-4-stable-ee

---
 app/controllers/profiles/emails_controller.rb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'app/controllers/profiles')

diff --git a/app/controllers/profiles/emails_controller.rb b/app/controllers/profiles/emails_controller.rb
index f666a1150a6..da553e34ef6 100644
--- a/app/controllers/profiles/emails_controller.rb
+++ b/app/controllers/profiles/emails_controller.rb
@@ -2,6 +2,8 @@
 
 class Profiles::EmailsController < Profiles::ApplicationController
   before_action :find_email, only: [:destroy, :resend_confirmation_instructions]
+  before_action -> { rate_limit!(:profile_add_new_email) }, only: [:create]
+  before_action -> { rate_limit!(:profile_resend_email_confirmation) }, only: [:resend_confirmation_instructions]
 
   def index
     @primary_email = current_user.email
@@ -38,6 +40,16 @@ class Profiles::EmailsController < Profiles::ApplicationController
 
   private
 
+  def rate_limit!(action)
+    rate_limiter = ::Gitlab::ApplicationRateLimiter
+
+    if rate_limiter.throttled?(action, scope: current_user)
+      rate_limiter.log_request(request, action, current_user)
+
+      redirect_back_or_default(options: { alert: _('This action has been performed too many times. Try again later.') })
+    end
+  end
+
   def email_params
     params.require(:email).permit(:email)
   end
-- 
cgit v1.2.3