FIX: do not allow unbound membership lookups

Previously we would allow looking up membership limits in an unbound way via the API, this introduces an upper limit of 1000 per page.
2019-06-17 15:32:06 +10:00 · 2019-06-17 15:32:06 +10:00 · 704c579550
parent fe4f0a4369
commit 704c579550
2 changed files with 7 additions and 0 deletions
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@ -211,6 +211,10 @@ class GroupsController < ApplicationController
      raise Discourse::InvalidParameters.new(:limit)
    end

+    if limit > 1000
+      raise Discourse::InvalidParameters.new(:limit)
+    end
+
    if offset < 0
      raise Discourse::InvalidParameters.new(:offset)
    end
--- a/spec/requests/groups_controller_spec.rb
+++ b/spec/requests/groups_controller_spec.rb
@ -351,6 +351,9 @@ describe GroupsController do

      get "/groups/#{group.name}/members.json?offset=-1"
      expect(response.status).to eq(400)
+
+      get "/groups/trust_level_0/members.json?limit=2000"
+      expect(response.status).to eq(400)
    end

    it "ensures the group can be seen" do