From 2bf6e4e07203eec53b6570c59b87e7d0b1a707db Mon Sep 17 00:00:00 2001
From: Simon Detheridge <gh2k@users.noreply.github.com>
Date: Fri, 22 Mar 2019 12:15:11 +0000
Subject: [PATCH] Merge pull request #1638 from
 sharelatex/spd-delete-user-rate-limit

Add rate limit to user deletion

GitOrigin-RevId: 4269277ea88b32b93f897a2b2709385ab379e479
---
 services/web/app/coffee/router.coffee | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/services/web/app/coffee/router.coffee b/services/web/app/coffee/router.coffee
index fe5a6e3c3b..d365623bf2 100644
--- a/services/web/app/coffee/router.coffee
+++ b/services/web/app/coffee/router.coffee
@@ -173,7 +173,14 @@ module.exports = class Router
 		webRouter.post '/user/sessions/clear', AuthenticationController.requireLogin(), UserController.clearSessions
 
 		webRouter.delete '/user/newsletter/unsubscribe', AuthenticationController.requireLogin(), UserController.unsubscribe
-		webRouter.post '/user/delete', AuthenticationController.requireLogin(), UserController.tryDeleteUser
+		webRouter.post '/user/delete',
+			RateLimiterMiddleware.rateLimit({
+				endpointName: "delete-user"
+				maxRequests: 10
+				timeInterval: 60
+			}),
+			AuthenticationController.requireLogin(),
+			UserController.tryDeleteUser
 
 		webRouter.get  '/user/personal_info', AuthenticationController.requireLogin(), UserInfoController.getLoggedInUsersPersonalInfo
 		privateApiRouter.get  '/user/:user_id/personal_info', AuthenticationController.httpAuth, UserInfoController.getPersonalInfo