From 275b0a08e7b63a2578ea9ad47355890e73c484fd Mon Sep 17 00:00:00 2001
From: yuuki <>
Date: Fri, 31 Jan 2025 17:55:33 +0900
Subject: [PATCH] =?UTF-8?q?=E3=83=AC=E3=83=BC=E3=83=88=E3=83=AA=E3=83=9F?=
 =?UTF-8?q?=E3=83=83=E3=83=88=E3=82=92=E9=81=A9=E5=88=87=E3=81=AB=E8=A8=AD?=
 =?UTF-8?q?=E5=AE=9A?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/app.py b/app.py
index a489558..a7b4c64 100644
--- a/app.py
+++ b/app.py
@@ -299,6 +299,7 @@ def route_admin_songs_new():
 
 
 @app.route(basedir + 'admin/songs/new', methods=['POST'])
+@limiter.limit("4 per hour")
 @admin_required(level=100)
 def route_admin_songs_new_post():
     output = {'title_lang': {}, 'subtitle_lang': {}, 'courses': {}}
@@ -351,6 +352,7 @@ def route_admin_songs_new_post():
 
 
 @app.route(basedir + 'admin/songs/<int:id>', methods=['POST'])
+@limiter.limit("4 per hour")
 @admin_required(level=50)
 def route_admin_songs_id_post(id):
     song = db.songs.find_one({'id': id})
@@ -404,6 +406,7 @@ def route_admin_songs_id_post(id):
 
 
 @app.route(basedir + 'admin/songs/<int:id>/delete', methods=['POST'])
+@limiter.limit("1 per day")
 @admin_required(level=100)
 def route_admin_songs_id_delete(id):
     song = db.songs.find_one({'id': id})
@@ -424,6 +427,7 @@ def route_admin_users():
 
 
 @app.route(basedir + 'admin/users', methods=['POST'])
+@limiter.limit("4 per hour")
 @admin_required(level=50)
 def route_admin_users_post():
     admin_name = session.get('username')
@@ -518,6 +522,7 @@ def route_api_config():
 
 
 @app.route(basedir + 'api/register', methods=['POST'])
+@limiter.limit("4 per hour")
 def route_api_register():
     data = request.get_json()
     if not schema.validate(data, schema.register):
@@ -559,6 +564,7 @@ def route_api_register():
 
 
 @app.route(basedir + 'api/login', methods=['POST'])
+@limiter.limit("4 per hour")
 def route_api_login():
     data = request.get_json()
     if not schema.validate(data, schema.login):
@@ -586,6 +592,7 @@ def route_api_login():
 
 
 @app.route(basedir + 'api/logout', methods=['POST'])
+@limiter.limit("4 per hour")
 @login_required
 def route_api_logout():
     session.clear()
@@ -593,6 +600,7 @@ def route_api_logout():
 
 
 @app.route(basedir + 'api/account/display_name', methods=['POST'])
+@limiter.limit("4 per hour")
 @login_required
 def route_api_account_display_name():
     data = request.get_json()
@@ -613,6 +621,7 @@ def route_api_account_display_name():
 
 
 @app.route(basedir + 'api/account/don', methods=['POST'])
+@limiter.limit("4 per hour")
 @login_required
 def route_api_account_don():
     data = request.get_json()
@@ -638,6 +647,7 @@ def route_api_account_don():
 
 
 @app.route(basedir + 'api/account/password', methods=['POST'])
+@limiter.limit("4 per hour")
 @login_required
 def route_api_account_password():
     data = request.get_json()
@@ -666,6 +676,7 @@ def route_api_account_password():
 
 
 @app.route(basedir + 'api/account/remove', methods=['POST'])
+@limiter.limit("1 per day")
 @login_required
 def route_api_account_remove():
     data = request.get_json()
@@ -685,6 +696,7 @@ def route_api_account_remove():
 
 
 @app.route(basedir + 'api/scores/save', methods=['POST'])
+@limiter.limit("4 per hour")
 @login_required
 def route_api_scores_save():
     data = request.get_json()
@@ -796,6 +808,7 @@ def send_upload(ref):
     return cache_wrap(flask.send_from_directory("public/upload", ref), 3600)
 
 @app.route("/api/upload", methods=["POST"])
+@limiter.limit("4 per hour")
 def upload_file():
     try:
         # POSTリクエストにファイルの部分がない場合