FIX: Do not allow negative values for LIMIT (#14122)

Negative values generated invalid SQL queries.
This commit is contained in:
Bianca Nenciu 2021-08-24 10:45:26 +03:00 committed by GitHub
parent f03f0866e7
commit eb6d66fe6f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 1 deletions

View File

@ -1080,7 +1080,10 @@ class UsersController < ApplicationController
options[:include_staged_users] = !!ActiveModel::Type::Boolean.new.cast(params[:include_staged_users]) options[:include_staged_users] = !!ActiveModel::Type::Boolean.new.cast(params[:include_staged_users])
options[:last_seen_users] = !!ActiveModel::Type::Boolean.new.cast(params[:last_seen_users]) options[:last_seen_users] = !!ActiveModel::Type::Boolean.new.cast(params[:last_seen_users])
options[:limit] = params[:limit].to_i if params[:limit].present? if params[:limit].present?
options[:limit] = params[:limit].to_i
raise Discourse::InvalidParameters.new(:limit) if options[:limit] <= 0
end
options[:topic_id] = topic_id if topic_id options[:topic_id] = topic_id if topic_id
options[:category_id] = category_id if category_id options[:category_id] = category_id if category_id

View File

@ -3938,6 +3938,13 @@ describe UsersController do
expect(response.status).to eq(200) expect(response.status).to eq(200)
end end
context 'limit' do
it "returns an error if value is invalid" do
get "/u/search/users.json", params: { limit: '-1' }
expect(response.status).to eq(400)
end
end
context "when `enable_names` is true" do context "when `enable_names` is true" do
before do before do
SiteSetting.enable_names = true SiteSetting.enable_names = true