Add validation for maximum ID passed to changesets#index

diff --git a/app/controllers/changesets_controller.rb b/app/controllers/changesets_controller.rb
index 3ea5fb64e96288551aac8169b5dfaaecc5630087..757664b580e61c78306b689f7c0f7fd614d2df6b 100644 (file)
--- a/app/controllers/changesets_controller.rb
+++ b/app/controllers/changesets_controller.rb
@@ -18,6 +18,8 @@ class ChangesetsController < ApplicationController
   ##
   # list non-empty changesets in reverse chronological order
   def index
+    param! :max_id, Integer, :min => 1
+
     @params = params.permit(:display_name, :bbox, :friends, :nearby, :max_id, :list)
 
     if request.format == :atom && @params[:max_id]

diff --git a/test/controllers/changesets_controller_test.rb b/test/controllers/changesets_controller_test.rb
index 1fd9de2e810fb8a9735731055213fecd5148f967..44022ba203d98b849989bcca7f31c0699d4ced66 100644 (file)
--- a/test/controllers/changesets_controller_test.rb
+++ b/test/controllers/changesets_controller_test.rb
@@ -92,6 +92,15 @@ class ChangesetsControllerTest < ActionDispatch::IntegrationTest
     check_index_result(changesets.last(20))
   end
 
+  ##
+  # This should report an error
+  def test_index_invalid_xhr
+    %w[-1 0 fred].each do |id|
+      get history_path(:format => "html", :list => "1", :max_id => id)
+      assert_redirected_to :controller => :errors, :action => :bad_request
+    end
+  end
+
   ##
   # This should display the last 20 changesets closed in a specific area
   def test_index_bbox