From eb6d66fe6f6be47e419114cec95cf01feb9de7de Mon Sep 17 00:00:00 2001
From: Bianca Nenciu <nbianca@users.noreply.github.com>
Date: Tue, 24 Aug 2021 10:45:26 +0300
Subject: [PATCH] FIX: Do not allow negative values for LIMIT (#14122)

Negative values generated invalid SQL queries.
---
 app/controllers/users_controller.rb    | 5 ++++-
 spec/requests/users_controller_spec.rb | 7 +++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index ef3f4bc0fff..c09b993117f 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1080,7 +1080,10 @@ class UsersController < ApplicationController
 
     options[:include_staged_users] = !!ActiveModel::Type::Boolean.new.cast(params[:include_staged_users])
     options[:last_seen_users] = !!ActiveModel::Type::Boolean.new.cast(params[:last_seen_users])
-    options[:limit] = params[:limit].to_i if params[:limit].present?
+    if params[:limit].present?
+      options[:limit] = params[:limit].to_i
+      raise Discourse::InvalidParameters.new(:limit) if options[:limit] <= 0
+    end
     options[:topic_id] = topic_id if topic_id
     options[:category_id] = category_id if category_id
 
diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb
index 3f204b0f2f1..943785b5f73 100644
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -3938,6 +3938,13 @@ describe UsersController do
       expect(response.status).to eq(200)
     end
 
+    context 'limit' do
+      it "returns an error if value is invalid" do
+        get "/u/search/users.json", params: { limit: '-1' }
+        expect(response.status).to eq(400)
+      end
+    end
+
     context "when `enable_names` is true" do
       before do
         SiteSetting.enable_names = true