Report an error if a bogus limit value is passed to a notes API call

2013-12-05 17:57:12 +00:00 · 2013-12-05 17:57:12 +00:00 · 0f2958aed4
commit 0f2958aed4
parent c866d28fd4
2 changed files with 26 additions and 4 deletions
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@ -308,8 +308,12 @@ private
  ##
  # Get the maximum number of results to return
  def result_limit
-    if params[:limit] and params[:limit].to_i > 0 and params[:limit].to_i < 10000
-      params[:limit].to_i
+    if params[:limit]
+      if params[:limit].to_i > 0 and params[:limit].to_i < 10000
+        params[:limit].to_i
+      else
+        raise OSM::APIBadUserInput.new("Note limit must be between 1 and 9999")
+      end
    else
      100
    end
--- a/test/functional/notes_controller_test.rb
+++ b/test/functional/notes_controller_test.rb
@ -628,6 +628,12 @@ class NotesControllerTest < ActionController::TestCase

    get :index, {:l => '-2.5', :b => '-2.5', :r => '2.5'}
    assert_response :bad_request
+
+    get :index, {:bbox => '1,1,1.7,1.7', :limit => '0', :format => 'json'}
+    assert_response :bad_request
+
+    get :index, {:bbox => '1,1,1.7,1.7', :limit => '10000', :format => 'json'}
+    assert_response :bad_request
  end

  def test_search_success
@ -699,6 +705,12 @@ class NotesControllerTest < ActionController::TestCase
  def test_search_bad_params
    get :search
    assert_response :bad_request
+
+    get :search, {:q => 'no match', :limit => '0', :format => 'json'}
+    assert_response :bad_request
+
+    get :search, {:q => 'no match', :limit => '10000', :format => 'json'}
+    assert_response :bad_request
  end

  def test_feed_success
@ -722,10 +734,16 @@ class NotesControllerTest < ActionController::TestCase
  end

  def test_feed_fail
-    get :feed, {:bbox => "1,1,1.2"}
+    get :feed, {:bbox => "1,1,1.2", :format => "rss"}
    assert_response :bad_request

-    get :feed, {:bbox => "1,1,1.2,1.2,1.2"}
+    get :feed, {:bbox => "1,1,1.2,1.2,1.2", :format => "rss"}
+    assert_response :bad_request
+
+    get :feed, {:bbox => "1,1,1.2,1.2", :limit => '0', :format => "rss"}
+    assert_response :bad_request
+
+    get :feed, {:bbox => "1,1,1.2,1.2", :limit => '10000', :format => "rss"}
    assert_response :bad_request
  end