Index: openacs-4/packages/xotcl-request-monitor/tcl/throttle_mod-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xotcl-request-monitor/tcl/throttle_mod-procs.tcl,v
diff -u -r1.67.2.54 -r1.67.2.55
--- openacs-4/packages/xotcl-request-monitor/tcl/throttle_mod-procs.tcl	22 Dec 2022 02:51:37 -0000	1.67.2.54
+++ openacs-4/packages/xotcl-request-monitor/tcl/throttle_mod-procs.tcl	24 Jan 2023 16:32:36 -0000	1.67.2.55
@@ -268,6 +268,7 @@
     }
 
     set var :running_url($requestKey,$url)
+    set overactive ov($requestKey,$url)
 
     #
     # Never block certain requests, such as embedded requests, range
@@ -307,13 +308,26 @@
     if {${:do_double_click_prevention} && [info exists $var]} {
       #
       # Request already running
-      # ns_log notice  "### already $var"
       #
+      # Keep value in per-minute counter
+      minutes incr $overactive
+      #
+      #ns_log notice  "### block $var overactive [minutes set $overactive]"
       return [list 0 0 1]
     } elseif {$::verbose_blocking && [info exists $var]} {
       ns_log notice "would block: fetchDest $fetchDest $requestKey $url"
     }
 
+    #
+    # Check, if have blocked (429) this URL already 15 times for this
+    # user in this minute.  If so, block this URL for this user, until
+    # the minute is over.
+    #
+    if {[minutes exists $overactive] && [minutes set $overactive] > 15} {
+      ns_log notice  "### request $overactive blocked since user has issued in this minute too many repeated requests"
+      return [list 0 0 2]
+    }
+
     set $var $conn_time
     #ns_log notice  "### new $var"
     #set t1 [clock milliseconds]
@@ -613,6 +627,14 @@
   Counter create minutes -timeoutMs 60000 -report hours -logging 1
   Counter create seconds -timeoutMs 1000 -report minutes
 
+  minutes proc end {} {
+    #
+    # Delete overactive counters.
+    #
+    array unset :ov
+    next
+  }
+
   # The counter user_count_day just records the number of active user
   # per day. It differs from other counters by keeping track of a pair
   # of values (authenticated and non-authenticated).
@@ -1791,10 +1813,14 @@
       toMuch ms repeat
   #set t1 [clock milliseconds]
 
+  #
+  # result == 0 OK
+  # result < 0 blocked
+  # result > 0 This web server is only open for interactive usage
+  #
   if {$repeat > 0} {
     :add_statistics repeat ${:requestor} ${:pa} ${:url} ${:query}
     if {$repeat > 1} {
-      :log "*** requestor (user ${:requestor}) would be blocked, when parameter do_slowdown_overactive would be activated"
       set result 1
     } else {
       set result -1