diff --git a/app/controllers/concerns/pagination.rb b/app/controllers/concerns/pagination.rb index 2b119ba5d..e1283070b 100644 --- a/app/controllers/concerns/pagination.rb +++ b/app/controllers/concerns/pagination.rb @@ -3,9 +3,12 @@ # Default options and configuration for pagination module Pagination extend ActiveSupport::Concern + + ParamType = ActionController::Parameters + included do def pagination_limit - params[:limit].present? ? params[:limit].to_i : 10 + params.permit(limit: ParamType.integer & ParamType.gt(0))[:limit] || 10 end def pagination_offset diff --git a/test/controllers/concerns/metadata_test.rb b/test/controllers/concerns/metadata_test.rb index e898cb4b1..ab43aa841 100644 --- a/test/controllers/concerns/metadata_test.rb +++ b/test/controllers/concerns/metadata_test.rb @@ -193,5 +193,33 @@ def authenticate assert_match(/offset=#{Profile.canonical(false).count}/, json_body['links']['last']) end + + should 'return invalid parameter if limit=0' do + get profiles_url, params: { limit: 0 } + assert_response 422 + assert_equal('Invalid parameter: limit must be greater than 0', + json_body['errors'][0]) + end + + should 'return invalid parameter if limit<0' do + get profiles_url, params: { limit: -256 } + assert_response 422 + assert_equal('Invalid parameter: limit must be greater than 0', + json_body['errors'][0]) + end + + should 'return invalid parameter if limit is float' do + get profiles_url, params: { limit: 15.12 } + assert_response 422 + assert_equal('Invalid parameter: limit must be an integer', + json_body['errors'][0]) + end + + should 'return invalid parameter if limit is string' do + get profiles_url, params: { limit: '15.12' } + assert_response 422 + assert_equal('Invalid parameter: limit must be an integer', + json_body['errors'][0]) + end end end