Validate GET /dashboard/activity params

Jason Knablrequested to merge
564983-validate-user-activity-params into master

What does this MR do and why?

Improve validation of limit and offset parameters for the GET /dashboards/activity endpoint.

  • limit: if negative or non-numeric, use the existing query default limit (i.e., return a page with the default number of records)
  • offset: if negative or non-numeric, use 0 as default (i.e., return the first page).

Alternatives considered

I think we could make a case for returning HTTP 400 when the server receives negative limit/offset params. Negative values don't make sense in the context of these params. However, this would be a breaking change to the API which explodes the scope of the issue.

I'm keeping limit/offset handling consistent with the existing pattern in this controller: use the default limit if the limit param doesn't make sense, and return the first page if the offset param doesn't make sense.

References

Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/564983

Screenshots or screen recordings

How to set up and validate locally

Please follow the steps in https://gitlab.com/gitlab-org/gitlab/-/issues/564983 and notice this branch fixes the issue.

Verify /users/<username>/activity

On master:

  • Open browser dev tools, network tab
  • Visit https://<your_gdk_host>/dashboard/home
  • Find the call to https://<your_gdk_host>/users/<user_id>/activity
  • Left click -> copy -> copy as cURL
  • Open a terminal session
  • Paste the cURL command in terminal, it looks like:
curl 'https://gdk.test:3443/users/<username>/activity?limit=5&is_personal_homepage=1' \
  ...a bunch of headers.
  • Change the param to limit=-5
  • Make the request, notice the response is an exception
PG::InvalidRowCountInLimitClause: ERROR:  LIMIT must not be negative

On this branch:

  • Follow the same steps, notice the response is no longer an exception. Negative limit value returns the default limit.

Verify /dashboards/activity

On master:

  • Open browser dev tools, network tab
  • Visit https://<your_gdk_host>/dashboard/activity
  • Find the call to https://<your_gdk_host>/dashboards/activity (the one with the header Accept: application/json and limit+offset params)
  • Left click -> copy -> copy as cURL
  • Open a terminal session
  • Paste the cURL command in terminal, it looks like:
curl 'https://gdk.test:3443/dashboard/activity?limit=20&offset=0' \
  ...a bunch of headers.
  • Change the limit or offset param to a negative value, notice the exception

On this branch:

  • Follow the same steps, notice the response is no longer an exception. Negative limit returns the default limit, and negative offset returns the first page of results.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #564983

Edited by Jason Knabl

Merge request reports