From 997ab5e3b918ff462e4eec727bcd87af75c1eebd Mon Sep 17 00:00:00 2001
From: Michael Vitz <michael.vitz@innoq.com>
Date: Tue, 16 Aug 2016 20:52:47 +0200
Subject: [PATCH] Set maximum of 'limit' query parameter to 100

If a limit greater than 100 is used the user is redirected to the same
page with a limit of 100.

Relates to #184
---
 src/statuses/routes.clj       | 19 ++++++++++++++----
 src/statuses/routing.clj      | 38 ++++++++++++++++++-----------------
 test/statuses/test/routes.clj | 20 ++++++++++++++++++
 3 files changed, 55 insertions(+), 22 deletions(-)
 create mode 100644 test/statuses/test/routes.clj

diff --git a/src/statuses/routes.clj b/src/statuses/routes.clj
index 10b9e10..62b5041 100644
--- a/src/statuses/routes.clj
+++ b/src/statuses/routes.clj
@@ -1,15 +1,26 @@
 (ns statuses.routes
-  (:require [statuses.configuration :refer [config]]))
+  (:require [clojure.string :as s]
+    [statuses.configuration :refer [config]]))
+
+(defn query-params [params]
+  (let [filtered-params (into {} (remove (comp nil? second)) params)]
+    (if (empty? filtered-params)
+      ""
+      (->> filtered-params
+           (map #(str (name (key %)) "=" (val %)))
+           (s/join "&")
+           (str "?")))))
 
 (def base-template "/statuses")
 (defn base-path [] base-template)
 
 (def updates-template (str base-template "/updates"))
 (defn updates-path
-  ([] (updates-path nil))
-  ([response-format]
+  ([] (updates-path {}))
+  ([params]
    (str updates-template
-        (if response-format (str "?format=" (name response-format)) ""))))
+        (query-params (select-keys params
+                                   [:limit :offset :author :query :format])))))
 
 (def update-template (str updates-template "/:id"))
 (defn update-path [id] (str (updates-path) "/" id))
diff --git a/src/statuses/routing.clj b/src/statuses/routing.clj
index a0e3d5a..a2b1e57 100644
--- a/src/statuses/routing.clj
+++ b/src/statuses/routing.clj
@@ -48,24 +48,26 @@
 (defn updates-page [params request]
   (let [next (next-uri (update-in params [:offset] (partial + (:limit params))) request)
         {:keys [limit offset author query format]} params]
-    (with-etag request (:time (first (core/get-latest @db 1 offset author query)))
-      (let [items (core/label-updates :can-delete?
-                                      (partial core/can-delete? @db (user request))
-                                      (core/get-latest @db limit offset author query))]
-        (cond
-         (= format "json") (content-type
-                             "application/json"
-                             (json/as-json {:items (json-decorator/decorate items), :next next}))
-         (= format "atom") (content-type
-                             "application/atom+xml;charset=utf-8"
-                             (atom/render-atom items
-                                               (str (base-uri request) "/statuses")
-                                               (str (base-uri request)
-                                                    "/statuses/updates?"
-                                                    (:query-string request))))
-         :else (content-type
-                 "text/html;charset=utf-8"
-                 (list-page items next (user request) nil)))))))
+    (if (> limit 100)
+      (redirect (route/updates-path (assoc params :limit 100)))
+      (with-etag request (:time (first (core/get-latest @db 1 offset author query)))
+        (let [items (core/label-updates :can-delete?
+                                        (partial core/can-delete? @db (user request))
+                                        (core/get-latest @db limit offset author query))]
+          (cond
+            (= format "json") (content-type
+                                "application/json"
+                                (json/as-json {:items (json-decorator/decorate items), :next next}))
+            (= format "atom") (content-type
+                                "application/atom+xml;charset=utf-8"
+                                (atom/render-atom items
+                                                  (str (base-uri request) "/statuses")
+                                                  (str (base-uri request)
+                                                       "/statuses/updates?"
+                                                       (:query-string request))))
+            :else (content-type
+                    "text/html;charset=utf-8"
+                    (list-page items next (user request) nil))))))))
 
 (defn new-update
   "Handles the request to add a new update. Checks whether the post values 'entry-text' or
diff --git a/test/statuses/test/routes.clj b/test/statuses/test/routes.clj
new file mode 100644
index 0000000..83ad0c5
--- /dev/null
+++ b/test/statuses/test/routes.clj
@@ -0,0 +1,20 @@
+(ns statuses.test.routes
+  (:require [clojure.test :refer [deftest is]]
+            [statuses.routes :as sut]))
+
+(deftest test-query-params
+  (is (=
+       (sut/query-params {})
+       ""))
+  (is (=
+       (sut/query-params {:foo "bar"})
+       "?foo=bar"))
+  (is (=
+       (sut/query-params {:foo "bar" :bar "foo"})
+       "?foo=bar&bar=foo"))
+  (is (=
+       (sut/query-params {:foo "bar" :bar nil})
+       "?foo=bar"))
+  (is (=
+       (sut/query-params {:foo nil :bar nil}))))
+