fix(handlers): bypass box creation limits for batched uploads

Update `createOrAppendBox` to accept the upload policy and admin status, allowing policy enforcement to be handled during the box creation/append decision process. This ensures that appending files to an existing batch does not incorrectly trigger daily or active box creation limits, as no new box is being created. Also, add unit tests to verify that batched uploads successfully bypass both daily and active box creation caps.
2026-06-01 00:20:18 +03:00
parent 71d9b9db7e
commit 4eacb4cde2
8 changed files with 207 additions and 47 deletions
--- a/backend/libs/middleware/bans.go
+++ b/backend/libs/middleware/bans.go
@@ -26,10 +26,20 @@ func Bans(logger *slog.Logger, bans *services.BanService, trustedProxies []strin
 					return
 				}

+				settings, err := bans.Settings()
+				if err != nil {
+					logger.Error("ban settings load failed", "source", "ban", "severity", "error", "code", 5004, "ip", ip, "error", err.Error())
+					next.ServeHTTP(w, r)
+					return
+				}
+				if !settings.AutoBanEnabled {
+					next.ServeHTTP(w, r)
+					return
+				}
 				if pattern, err := bans.MaliciousPattern(r.URL.Path); err != nil {
 					logger.Error("malicious path check failed", "source", "ban", "severity", "error", "code", 5002, "ip", ip, "error", err.Error())
 				} else if pattern != "" {
-					if result, err := bans.RecordAbuse(ip, services.AbuseKindMaliciousPath, r.URL.Path, banThreshold(bans, services.AbuseKindMaliciousPath), now); err != nil {
+					if result, err := bans.RecordAbuse(ip, services.AbuseKindMaliciousPath, r.URL.Path, settings.MaliciousPathThreshold, now); err != nil {
 						logger.Error("malicious path event failed", "source", "ban", "severity", "error", "code", 5003, "ip", ip, "path", r.URL.Path, "error", err.Error())
 					} else if result.Enabled {
 						logger.Warn("malicious path requested", "source", "ban", "severity", "warn", "code", 4302, "ip", ip, "path", r.URL.Path, "pattern", pattern, "count", result.Event.Count)
@@ -48,18 +58,3 @@ func Bans(logger *slog.Logger, bans *services.BanService, trustedProxies []strin
 		})
 	}
 }
-
-func banThreshold(bans *services.BanService, kind string) int {
-	settings, err := bans.Settings()
-	if err != nil {
-		return 0
-	}
-	switch kind {
-	case services.AbuseKindAdminLogin:
-		return settings.AdminLoginFailureThreshold
-	case services.AbuseKindUserLogin:
-		return settings.UserLoginFailureThreshold
-	default:
-		return settings.MaliciousPathThreshold
-	}
-}