Update project creation limits#20046
Conversation
| "warehouse.packaging.project_create_user_ratelimit_string", | ||
| "PROJECT_CREATE_USER_RATELIMIT_STRING", | ||
| default="20 per hour", | ||
| default="2 per day", |
There was a problem hiding this comment.
this will make testpypi angry and is set in cabo via PROJECT_CREATE_USER_RATELIMIT_STRING so
_check_ratelimits now runs on every create_project call, which evaluates creator.id to pass to the limiter. The bare pretend.stub() has no id attribute, so the test blew up before reaching the AdminFlag-forbidden path it was meant to exercise. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fd28ee59d6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| self.request.user, | ||
| request=self.request, | ||
| creator_is_owner=False, | ||
| ratelimited=False, | ||
| ) |
There was a problem hiding this comment.
This call now goes through ProjectService.create_project() with rate limiting enabled, but this view still only catches HTTPException. When a user has exceeded project.create.* limits, create_project() raises TooManyProjectsCreated (a RateLimiterException, not an HTTPException), so the exception escapes and turns a normal validation failure into a 500 for organization project creation attempts.
Useful? React with 👍 / 👎.
| pending_publisher.added_by, | ||
| request, | ||
| creator_is_owner=pending_publisher.organization_id is None, | ||
| ratelimited=False, | ||
| organization_id=pending_publisher.organization_id, | ||
| ) |
There was a problem hiding this comment.
Pending-publisher token minting now invokes rate-limited project creation, but this block only handles HTTPException. If the pending publisher owner has hit project creation limits, create_project() raises TooManyProjectsCreated (not an HTTPException), which is unhandled here and results in a server error instead of a structured API error response.
Useful? React with 👍 / 👎.
…tion Adds regression coverage for the two view-layer catches added in 41a6bd1 / a162387 — confirms that hitting the per-user project-create ratelimiter while creating an org-owned project or reifying a pending OIDC publisher returns a structured error (form-error / 422 JSON) instead of a 500. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Parametrize the new TooManyProjectsCreated regression tests so they exercise both a real timedelta and the resets_in=None branch the defensive handlers in oidc/views.py and manage/views/organizations.py fall back to. None can legitimately come back from the limiter on a race or a transient redis error, and we want a 429 with "try again later" instead of a 500. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 participant
No description provided.