Limit non-administrators to adding 100 members at a time to groups and projects

2 files changed, 8 insertions, 6 deletions

diff --git a/app/controllers/admin/groups_controller.rb b/app/controllers/admin/groups_controller.rb
index 5885b3543bb..5a2a7c7f27b 100644
--- a/app/controllers/admin/groups_controller.rb
+++ b/app/controllers/admin/groups_controller.rb
@@ -43,12 +43,13 @@ class Admin::GroupsController < Admin::ApplicationController
   end
 
   def members_update
-    status = Members::CreateService.new(@group, current_user, params).execute
+    member_params = params.permit(:user_ids, :access_level, :expires_at)
+    result = Members::CreateService.new(@group, current_user, member_params.merge(limit: -1)).execute
 
-    if status
+    if result[:status] == :success
       redirect_to [:admin, @group], notice: 'Users were successfully added.'
     else
-      redirect_to [:admin, @group], alert: 'No users specified.'
+      redirect_to [:admin, @group], alert: result[:message]
     end
   end
 
diff --git a/app/controllers/concerns/membership_actions.rb b/app/controllers/concerns/membership_actions.rb
index b1bacc8ffe5..cefb9b4e766 100644
--- a/app/controllers/concerns/membership_actions.rb
+++ b/app/controllers/concerns/membership_actions.rb
@@ -2,14 +2,15 @@ module MembershipActions
   extend ActiveSupport::Concern
 
   def create
-    status = Members::CreateService.new(membershipable, current_user, params).execute
+    create_params = params.permit(:user_ids, :access_level, :expires_at)
+    result = Members::CreateService.new(membershipable, current_user, create_params).execute
 
     redirect_url = members_page_url
 
-    if status
+    if result[:status] == :success
       redirect_to redirect_url, notice: 'Users were successfully added.'
     else
-      redirect_to redirect_url, alert: 'No users specified.'
+      redirect_to redirect_url, alert: result[:message]
     end
   end