FIX: Only apply the rate limit to user exports, not downloads (#30965)

Follow-up to 7fc8d74f3eed52116add452b5321b41e02e04499. This change moves the guardian check for whether an export has been generated too recently to the endpoint handler, since we only want this check to apply when generating an export.
2025-02-07 03:48:23 +00:00 · 2025-01-24 09:37:05 +11:00 · 2025-01-24 09:37:05 +11:00 · 7d2fcb8812
commit 7d2fcb8812
parent 7fc8d74f3e
2 changed files with 12 additions and 5 deletions
--- a/app/controllers/export_csv_controller.rb
+++ b/app/controllers/export_csv_controller.rb
@ -17,6 +17,17 @@ class ExportCsvController < ApplicationController

    if entity == "user_archive"
      requesting_user_id = current_user.id if entity_id
+
+      # Rate limit user archive exports to 1 per day
+      unless current_user.admin ||
+               UserExport.where(
+                 user_id: entity_id || current_user.id,
+                 created_at: (Time.zone.now.beginning_of_day..Time.zone.now.end_of_day),
+               ).count == 0
+        render_json_error I18n.t("csv_export.rate_limit_error")
+        return
+      end
+
      Jobs.enqueue(
        :export_user_archive,
        user_id: entity_id || current_user.id,
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@ -544,11 +544,7 @@ class Guardian

    # Regular users can only export their archives
    return false unless entity == "user_archive"
-    return false unless entity_id == @user.id || entity_id.nil?
-    UserExport.where(
-      user_id: @user.id,
-      created_at: (Time.zone.now.beginning_of_day..Time.zone.now.end_of_day),
-    ).count == 0
+    entity_id == @user.id || entity_id.nil?
  end

  def can_see_emails?