From 9dcf063337637f19139e5e5d7f9989f714eb8d87 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adri=C3=A0=20Casaj=C3=BAs?=
 <acasajus@users.noreply.github.com>
Date: Tue, 13 Dec 2022 18:48:44 +0100
Subject: [PATCH] Rate limit changing user settings (#1491)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Adrià Casajús <adria.casajus@proton.ch>
---
 app/dashboard/views/setting.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/dashboard/views/setting.py b/app/dashboard/views/setting.py
index a72941a2..6ac196ea 100644
--- a/app/dashboard/views/setting.py
+++ b/app/dashboard/views/setting.py
@@ -29,6 +29,7 @@ from app.email_utils import (
     personal_email_already_used,
 )
 from app.errors import ProtonPartnerNotSetUp
+from app.extensions import limiter
 from app.image_validation import detect_image_format, ImageFormat
 from app.jobs.export_user_data_job import ExportUserDataJob
 from app.log import LOG
@@ -100,6 +101,7 @@ def get_partner_subscription_and_name(
 
 @dashboard_bp.route("/setting", methods=["GET", "POST"])
 @login_required
+@limiter.limit("5/minute", methods=["POST"])
 def setting():
     form = SettingForm()
     promo_form = PromoCodeForm()