User discovery vulnerability
Using recently introduced application functionality in trytond it is trivial to scan the server to discover which users exist in the system because the server aborts.
An example of a good implementation is LoginAttempt, where instead of storing a m2o to the user, a char field is used so the application always behaves the same, no matter if the login was attempted with a valid user or not.
So I think that res.user.application should use a char field and not abort if it does not exist.
Given that we will not abort in this case, I don't see a reason for aborting with 429 when a request already exists either.