From 0f2958aed4239afcceb6d80f8bc51ab5ad168051 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Thu, 5 Dec 2013 17:57:12 +0000
Subject: [PATCH] Report an error if a bogus limit value is passed to a notes
 API call

---
 app/controllers/notes_controller.rb      |  8 ++++++--
 test/functional/notes_controller_test.rb | 22 ++++++++++++++++++++--
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb
index 333597a72..eb2625d55 100644
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@@ -308,8 +308,12 @@ private
   ##
   # Get the maximum number of results to return
   def result_limit
-    if params[:limit] and params[:limit].to_i > 0 and params[:limit].to_i < 10000
-      params[:limit].to_i
+    if params[:limit]
+      if params[:limit].to_i > 0 and params[:limit].to_i < 10000
+        params[:limit].to_i
+      else
+        raise OSM::APIBadUserInput.new("Note limit must be between 1 and 9999")
+      end
     else
       100
     end
diff --git a/test/functional/notes_controller_test.rb b/test/functional/notes_controller_test.rb
index a4720eb06..49c3cd0ed 100644
--- a/test/functional/notes_controller_test.rb
+++ b/test/functional/notes_controller_test.rb
@@ -628,6 +628,12 @@ class NotesControllerTest < ActionController::TestCase
 
     get :index, {:l => '-2.5', :b => '-2.5', :r => '2.5'}
     assert_response :bad_request
+
+    get :index, {:bbox => '1,1,1.7,1.7', :limit => '0', :format => 'json'}
+    assert_response :bad_request
+
+    get :index, {:bbox => '1,1,1.7,1.7', :limit => '10000', :format => 'json'}
+    assert_response :bad_request
   end
 
   def test_search_success
@@ -699,6 +705,12 @@ class NotesControllerTest < ActionController::TestCase
   def test_search_bad_params
     get :search
     assert_response :bad_request
+
+    get :search, {:q => 'no match', :limit => '0', :format => 'json'}
+    assert_response :bad_request
+
+    get :search, {:q => 'no match', :limit => '10000', :format => 'json'}
+    assert_response :bad_request
   end
 
   def test_feed_success
@@ -722,10 +734,16 @@ class NotesControllerTest < ActionController::TestCase
   end
 
   def test_feed_fail
-    get :feed, {:bbox => "1,1,1.2"}
+    get :feed, {:bbox => "1,1,1.2", :format => "rss"}
+    assert_response :bad_request
+
+    get :feed, {:bbox => "1,1,1.2,1.2,1.2", :format => "rss"}
+    assert_response :bad_request
+
+    get :feed, {:bbox => "1,1,1.2,1.2", :limit => '0', :format => "rss"}
     assert_response :bad_request
 
-    get :feed, {:bbox => "1,1,1.2,1.2,1.2"}
+    get :feed, {:bbox => "1,1,1.2,1.2", :limit => '10000', :format => "rss"}
     assert_response :bad_request
   end
 
-- 
2.43.2