FIX: prevents PM to large groups (#28681)

This commit introduces a new hidden site setting: `group_pm_user_limit`, default to `1000` which will raise an error when attempting to create a PM target a large group.
2025-05-23 21:11:13 +08:00 · 2024-09-03 12:08:14 +02:00
parent 80b9c280ba
commit e418f7056f
7 changed files with 84 additions and 4 deletions
--- a/spec/lib/topic_creator_spec.rb
+++ b/spec/lib/topic_creator_spec.rb
@ -563,6 +563,29 @@ RSpec.describe TopicCreator do
        end
      end

+      context "with too many users in a group" do
+        fab!(:group) { Fabricate(:group, messageable_level: Group::ALIAS_LEVELS[:everyone]) }
+
+        before do
+          SiteSetting.group_pm_user_limit = 1
+          Fabricate.times(2, :user).each { |user| group.add(user) }
+          pm_valid_attrs[:target_group_names] = group.name
+        end
+
+        it "fails with an error" do
+          expect do
+            TopicCreator.create(user, Guardian.new(admin), pm_valid_attrs)
+          end.to raise_error(
+            ActiveRecord::Rollback,
+            I18n.t(
+              "activerecord.errors.models.topic.attributes.base.too_large_group",
+              limit: SiteSetting.group_pm_user_limit,
+              group_name: group.name,
+            ),
+          )
+        end
+      end
+
      context "with to emails" do
        it "works for staff" do
          SiteSetting.send_email_messages_allowed_groups = "1|3"