FIX: Do not allow negative values for LIMIT (#14122)

FIX: Do not allow negative values for LIMIT (#14122)

Negative values generated invalid SQL queries.

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index ef3f4bc..c09b993 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1080,7 +1080,10 @@ class UsersController < ApplicationController
 
     options[:include_staged_users] = !!ActiveModel::Type::Boolean.new.cast(params[:include_staged_users])
     options[:last_seen_users] = !!ActiveModel::Type::Boolean.new.cast(params[:last_seen_users])
-    options[:limit] = params[:limit].to_i if params[:limit].present?
+    if params[:limit].present?
+      options[:limit] = params[:limit].to_i
+      raise Discourse::InvalidParameters.new(:limit) if options[:limit] <= 0
+    end
     options[:topic_id] = topic_id if topic_id
     options[:category_id] = category_id if category_id
 
diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb
index 3f204b0..943785b 100644
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -3938,6 +3938,13 @@ describe UsersController do
       expect(response.status).to eq(200)
     end
 
+    context 'limit' do
+      it "returns an error if value is invalid" do
+        get "/u/search/users.json", params: { limit: '-1' }
+        expect(response.status).to eq(400)
+      end
+    end
+
     context "when `enable_names` is true" do
       before do
         SiteSetting.enable_names = true

GitHub sha: eb6d66fe6f6be47e419114cec95cf01feb9de7de

This commit appears in #14122 which was approved by danielwaterworth. It was merged by nbianca.