>>> [!note] Migrated issue <!-- Drupal.org comment --> <!-- Migrated from issue #3560980. --> Reported by: [valthebald](https://www.drupal.org/user/239562) Related to !1030 !1031 >>> <p>[Tracker]<br> <strong>Update Summary: </strong>[One-line status update for stakeholders]<br> <strong>Short Description: </strong>[One-line issue summary for stakeholders]<br> <strong>Check-in Date: </strong>MM/DD/YYYY<br> <em>Metadata is used by the <a href="https://www.drupalstarforge.ai/" title="AI Tracker">AI Tracker.</a> Docs and additional fields <a href="https://www.drupalstarforge.ai/ai-dashboard/docs" title="AI Issue Tracker Documentation">here</a>.</em><br> [/Tracker]</p> <h3 id="summary-problem-motivation">Problem/Motivation</h3> <p>Reset route (ai_chatbot.reset_conversation) currently requires "access content" permission, which is typically granted to all users (including anonymous).</p> <p>That means the possibility to mass-generate new sessions by sending POST requests (if they know or guess the appropriate parameters)</p> <p>They could then DoS the site by sending lots of reset requests which would interfere with the operation of the chatbot.</p> <h3 id="summary-proposed-resolution">Proposed resolution</h3> <ol> <li>Change route permission to the same "access deepchat api" permission as some of the other routes provided by the module</li> <li>Add flood control to prevent mass session reset for scenarios when the chat is open for anonymous users</li> </ol>