FIX: do not allow unbound membership lookups

Previously we would allow looking up membership limits in an unbound way via the API, this introduces an upper limit of 1000 per page.
2025-05-22 16:34:31 +08:00 · 2019-06-17 15:32:06 +10:00
parent fe4f0a4369
commit 704c579550
2 changed files with 7 additions and 0 deletions
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@ -211,6 +211,10 @@ class GroupsController < ApplicationController
      raise Discourse::InvalidParameters.new(:limit)
    end

+    if limit > 1000
+      raise Discourse::InvalidParameters.new(:limit)
+    end
+
    if offset < 0
      raise Discourse::InvalidParameters.new(:offset)
    end