This commit is contained in:
Matthias Mair 2026-07-05 21:42:24 +10:00 committed by GitHub
commit 43ce4d1e03
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 25 additions and 1 deletions

View File

@ -29,6 +29,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- [#12107](https://github.com/inventree/InvenTree/pull/12107) makes a breaking change to the `SalesOrderStatusGroups` enum, fixing a bug where the "shipped" status was not included in the "active" group. This change may affect any external client applications which make use of the `SalesOrderStatusGroups` enum, as the "shipped" status will now be included in the "active" group instead of the "complete" group. If you are using this enum in an external client application, you will need to update your application to account for this change.
- [#9604](https://github.com/inventree/InvenTree/pull/9604) refactors user API endpoint to be less ambiguous
- [#11893](https://github.com/inventree/InvenTree/pull/11893) bumps Node environment to version 24 LTS - this is only relevant if you build the frontend assets yourself
- [#11951](https://github.com/inventree/InvenTree/pull/11951) adds API throtteling by default to make DoS attacks more difficult. This can be disabled by setting the `INVENTREE_THROTTLE_ANON` and `INVENTREE_THROTTLE_USER` settings to `None` (either via environment variable or config file). The default throttling rates are 20 requests per minute for anonymous users, and 20 requests per second for authenticated users.
### Added

View File

@ -136,7 +136,8 @@ Depending on how your InvenTree installation is configured, you will need to pay
| `INVENTREE_X_FORWARDED_PROTO_NAME` | `x_forwarded_proto_name` | `HTTP_X_FORWARDED_PROTO` | Name of the header to use for forwarded protocol information |
{{ configsetting("INVENTREE_SESSION_COOKIE_SECURE") }} Enforce secure session cookies |
{{ configsetting("INVENTREE_COOKIE_SAMESITE") }} Session cookie mode. Must be one of `Strict | Lax | None | False`. Refer to the [mozilla developer docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie) and the [django documentation]({% include "django.html" %}/ref/settings/#std-setting-SESSION_COOKIE_SAMESITE) for more information. |
{{ configsetting("INVENTREE_THROTTLE_ANON") }} Throttle rate for anonymous users (e.g. '20/minute') |
{{ configsetting("INVENTREE_THROTTLE_USER") }} Throttle rate for authenticated users (e.g. '5/second') |
### Debug Mode

View File

@ -529,6 +529,8 @@ REST_FRAMEWORK = {
'DEFAULT_METADATA_CLASS': 'InvenTree.metadata.InvenTreeMetadata',
'DEFAULT_RENDERER_CLASSES': ['rest_framework.renderers.JSONRenderer'],
'TOKEN_MODEL': 'users.models.ApiToken',
'DEFAULT_THROTTLE_CLASSES': [],
'DEFAULT_THROTTLE_RATES': {},
}
if DEBUG:
@ -544,6 +546,21 @@ if USE_JWT:
JWT_AUTH_REFRESH_COOKIE = 'inventree-token'
INSTALLED_APPS.append('rest_framework_simplejwt')
# Throtteling setup
THROTTLE_ANON = get_setting('INVENTREE_THROTTLE_ANON', 'throttle.anon', '20/minute')
THROTTLE_USER = get_setting('INVENTREE_THROTTLE_USER', 'throttle.user', '60/second')
if not DEBUG and THROTTLE_ANON and str(THROTTLE_ANON).lower() != 'none':
REST_FRAMEWORK['DEFAULT_THROTTLE_RATES']['anon'] = THROTTLE_ANON
REST_FRAMEWORK['DEFAULT_THROTTLE_CLASSES'].append(
'rest_framework.throttling.AnonRateThrottle'
)
if not DEBUG and THROTTLE_USER and str(THROTTLE_USER).lower() != 'none':
REST_FRAMEWORK['DEFAULT_THROTTLE_RATES']['user'] = THROTTLE_USER
REST_FRAMEWORK['DEFAULT_THROTTLE_CLASSES'].append(
'rest_framework.throttling.UserRateThrottle'
)
# WSGI default setting
WSGI_APPLICATION = 'InvenTree.wsgi.application'

View File

@ -162,6 +162,11 @@ cors:
# regex:
# Throttling is applied to the API by default to make DoS attacks more difficult; these can be disabled by setting them to None.
# throttle:
# anon: '20/minute'
# user: '60/second'
# MEDIA_ROOT is the local filesystem location for storing uploaded files
#media_root: '/home/inventree/data/media'