From 2c0fba7a80a510c61c330d0cb7b73e8504944853 Mon Sep 17 00:00:00 2001
From: biredel <67849440+biredel@users.noreply.github.com>
Date: Tue, 20 Jan 2026 17:27:17 +0100
Subject: [PATCH 1/2] rate limit share creation 200 times per 10 minutes

Was unlimited before #50905 setting to 20/600s which proved to be too low for some legitimate human actions, e.g. chat messages with attachments in Talk. Fix that by bumping to some arbitrary higher value, until some clearer justification for having it lower or higher is determined.

Signed-off-by: biredel <67849440+biredel@users.noreply.github.com>
---
 apps/files_sharing/lib/Controller/ShareAPIController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php
index 8ed52a1de41d6..a67ad76ef2ef1 100644
--- a/apps/files_sharing/lib/Controller/ShareAPIController.php
+++ b/apps/files_sharing/lib/Controller/ShareAPIController.php
@@ -587,7 +587,7 @@ public function deleteShare(string $id): DataResponse {
 	 * 200: Share created
 	 */
 	#[NoAdminRequired]
-	#[UserRateLimit(limit: 20, period: 600)]
+	#[UserRateLimit(limit: 200, period: 600)]
 	public function createShare(
 		?string $path = null,
 		?int $permissions = null,

From 806a28d55c12211410832fb017c9e410e2ca0dcd Mon Sep 17 00:00:00 2001
From: biredel <67849440+biredel@users.noreply.github.com>
Date: Fri, 23 Jan 2026 19:09:29 +0100
Subject: [PATCH 2/2] rate limit share creation 40 times per 10 minute

no goal stated; just copied from review comment

Signed-off-by: biredel <67849440+biredel@users.noreply.github.com>
---
 apps/files_sharing/lib/Controller/ShareAPIController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php
index a67ad76ef2ef1..69447346d309f 100644
--- a/apps/files_sharing/lib/Controller/ShareAPIController.php
+++ b/apps/files_sharing/lib/Controller/ShareAPIController.php
@@ -587,7 +587,7 @@ public function deleteShare(string $id): DataResponse {
 	 * 200: Share created
 	 */
 	#[NoAdminRequired]
-	#[UserRateLimit(limit: 200, period: 600)]
+	#[UserRateLimit(limit: 40, period: 600)]
 	public function createShare(
 		?string $path = null,
 		?int $permissions = null,