Protected packages: Limit number of package protection rules per project [Follow-up]

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

The following discussion from !124776 (merged) should be addressed, see discussion.

Currently, it is possible to create unlimited package protection rules. This is bad because:

• Many package protection rules per project could have a performance impact when new packages are pushed as many package protection rules have to be checked
• It is possible to abuse package protection rules => impacting performance

As a safeguard / safety measure against performance concerns and possible abuse, we should consider limiting the number of package protection rules.

This limitation was also raised in &5574 (comment 1425176209) .

This issue is considered a follow-up of Protected packages: Add basic model and migrati... (#416382).

🛠️ with ❤️ at Siemens

Improvements

• As a safeguard against performance concerns and possible abuse
• I suggest to include a custom validation that checks for the current count, when a package protection rule is created
• This is also done in other files, e.g. ee/app/models/members/member_role.rb, app/models/pages_domain.rb, etc.
• An additional approach is described here, https://til.hashrocket.com/posts/egegrgsdnj-limiting-object-counts-in-rails-associations-

Risks

• At the moment, we expect only a small number of package protection rules to be created per project. So, the risk to fail user demands is low

Involved components

• PackageProtectionRule

Optional: Intended side effects

Optional: Missing test coverage