Fix rack-attack configuration

The set_defaults! clears the configuration and would remove the default blocklist https://community.openproject.org/work_packages/53399
opf · Mar 13, 2024 · 6ac6553 · 6ac6553
1 parent c934b92
commit 6ac6553
Showing 1 changed file with 13 additions and 13 deletions.
diff --git a/config/initializers/rack-attack.rb b/config/initializers/rack-attack.rb
@@ -26,21 +26,21 @@
 # See COPYRIGHT and LICENSE files for more details.
 #++
 
-if OpenProject::Configuration.blacklisted_routes.any?
-  # Block logins from a bad user agent
-  Rack::Attack.blocklist('block forbidden routes') do |req|
-    regex = OpenProject::Configuration.blacklisted_routes.map! { |str| Regexp.new(str) }
-    regex.any? { |i| i =~ req.path }
-  end
-
-  Rack::Attack.blocklisted_response = lambda do |_env|
-    # All blacklisted routes would return a 404.
-    [404, {}, ['Not found']]
-  end
-end
-
 Rails.application.reloader.to_prepare do
   # In test mode, enable rules and rack-attack using "with_rack_attack:" metadata
   Rack::Attack.enabled = !Rails.env.test?
   OpenProject::RateLimiting.set_defaults!
+
+  if OpenProject::Configuration.blacklisted_routes.any?
+    # Block logins from a bad user agent
+    Rack::Attack.blocklist('block forbidden routes') do |req|
+      regex = OpenProject::Configuration.blacklisted_routes.map! { |str| Regexp.new(str) }
+      regex.any? { |i| i =~ req.path }
+    end
+
+    Rack::Attack.blocklisted_responder = lambda do |_env|
+      # All blacklisted routes would return a 404.
+      [404, {}, ['Not found']]
+    end
+  end
 end