fix(api): add basic booking throttling

2026-04-29 22:57:09 +02:00
parent a8f2a7c803
commit 0533a1799f
5 changed files with 111 additions and 12 deletions
--- a/backend/checkins/views.py
+++ b/backend/checkins/views.py
@@ -1,8 +1,9 @@
 from rest_framework import status
 from rest_framework.authentication import BasicAuthentication, SessionAuthentication
-from rest_framework.decorators import api_view, authentication_classes, permission_classes
+from rest_framework.decorators import api_view, authentication_classes, permission_classes, throttle_classes
 from rest_framework.permissions import BasePermission, IsAuthenticated
 from rest_framework.response import Response
+from rest_framework.throttling import UserRateThrottle

 from .serializers import (
    CheckInConfirmResponseSerializer,
@@ -19,19 +20,22 @@ from .services import (
 )


+class CheckInPreviewThrottle(UserRateThrottle):
+    scope = "check_in_preview"
+
+
+class CheckInConfirmThrottle(UserRateThrottle):
+    scope = "check_in_confirm"
+
+
 class IsStaffUser(BasePermission):
    def has_permission(self, request, view):
        return bool(request.user and request.user.is_staff)

-
-def staff_check_in_view(view_func):
-    view_func = permission_classes([IsAuthenticated, IsStaffUser])(view_func)
-    view_func = authentication_classes([BasicAuthentication, SessionAuthentication])(view_func)
-    view_func = api_view(["POST"])(view_func)
-    return view_func
-
-
-@staff_check_in_view
+@api_view(["POST"])
+@authentication_classes([BasicAuthentication, SessionAuthentication])
+@permission_classes([IsAuthenticated, IsStaffUser])
+@throttle_classes([CheckInPreviewThrottle])
 def check_in_preview(request):
    serializer = CheckInTokenSerializer(data=request.data)
    serializer.is_valid(raise_exception=True)
@@ -73,7 +77,10 @@ def check_in_preview(request):
    return Response(response_serializer.data)


-@staff_check_in_view
+@api_view(["POST"])
+@authentication_classes([BasicAuthentication, SessionAuthentication])
+@permission_classes([IsAuthenticated, IsStaffUser])
+@throttle_classes([CheckInConfirmThrottle])
 def check_in_confirm(request):
    serializer = CheckInTokenSerializer(data=request.data)
    serializer.is_valid(raise_exception=True)