added config to actor block attacks

2021-03-12 15:10:39 +01:00 · 2021-03-12 15:10:39 +01:00 · 52d3ffeac3
commit 52d3ffeac3
parent 868ff2817a
3 changed files with 11 additions and 5 deletions
--- a/server/src/uds/REST/methods/actor_v3.py
+++ b/server/src/uds/REST/methods/actor_v3.py
@ -69,6 +69,8 @@ class BlockAccess(Exception):


 def checkBlockedIp(ip: str) -> None:
+    if GlobalConfig.BLOCK_ACTOR_FAILURES.getBool() is False:
+        return
    cache = Cache('actorv3')
    fails = cache.get(ip) or 0
    if fails > ALLOWED_FAILS:
--- a/server/src/uds/core/util/config.py
+++ b/server/src/uds/core/util/config.py
@ -315,6 +315,9 @@ class GlobalConfig:
    # If we use new logout mechanics
    EXCLUSIVE_LOGOUT: Config.Value = Config.section(SECURITY_SECTION).value('Exclusive Logout', '0', type=Config.BOOLEAN_FIELD)

+    # Enable/Disable Actor attack block
+    BLOCK_ACTOR_FAILURES: Config.Value = Config.section(SECURITY_SECTION).value('Block actor failures', '1', type=Config.BOOLEAN_FIELD)
+
    RELOAD_TIME: Config.Value = Config.section(GLOBAL_SECTION).value('Page reload Time', '300', type=Config.NUMERIC_FIELD)

    LIMITED_BY_CALENDAR_TEXT: Config.Value = Config.section(GLOBAL_SECTION).value('Calendar access denied text', '', type=Config.TEXT_FIELD)  # Defaults to Nothing
--- a/server/src/uds/web/views/modern.py
+++ b/server/src/uds/web/views/modern.py
@ -35,15 +35,16 @@ import typing
 from django.shortcuts import render
 from django.http import  HttpRequest, HttpResponse, JsonResponse, HttpResponseRedirect
 from django.urls import reverse
-from uds.web.util import errors
+from uds.core.util.request import ExtendedHttpRequest, ExtendedHttpRequestWithUser
 from uds.core.auths import auth

+from uds.web.util import errors
 from uds.web.forms.LoginForm import LoginForm
 from uds.web.util.authentication import checkLogin
-
 from uds.web.util.services import getServicesData
 from uds.web.util import configjs

+
 logger = logging.getLogger(__name__)


@ -66,7 +67,7 @@ def ticketLauncher(request: HttpRequest) -> HttpResponse:


 # Basically, the original /login method, but fixed for modern interface
-def login(request: HttpRequest, tag: typing.Optional[str] = None) -> HttpResponse:
+def login(request: ExtendedHttpRequest, tag: typing.Optional[str] = None) -> HttpResponse:
    # Default empty form
    logger.debug('Tag: %s', tag)
    if request.method == 'POST':
@ -97,7 +98,7 @@ def login(request: HttpRequest, tag: typing.Optional[str] = None) -> HttpRespons


@auth.webLoginRequired(admin=False)
-def logout(request: HttpRequest) -> HttpResponse:
+def logout(request: ExtendedHttpRequestWithUser) -> HttpResponse:
    auth.authLogLogout(request)
    request.session['restricted'] = False  # Remove restricted
    logoutUrl = request.user.logout()
@ -111,5 +112,5 @@ def js(request: HttpRequest) -> HttpResponse:


@auth.denyNonAuthenticated
-def servicesData(request: HttpRequest) -> HttpResponse:
+def servicesData(request: ExtendedHttpRequestWithUser) -> HttpResponse:
    return JsonResponse(getServicesData(request))