From 5c602e306cdf979a70aaa81cd473f491f2eee45a Mon Sep 17 00:00:00 2001
From: Nick Thomas <nick@gitlab.com>
Date: Tue, 6 Jun 2017 15:55:12 +0100
Subject: Limit non-administrators to adding 100 members at a time to groups
 and projects

---
 app/services/members/create_service.rb | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

(limited to 'app/services/members')

diff --git a/app/services/members/create_service.rb b/app/services/members/create_service.rb
index 3a58f6c065d..26906ae7167 100644
--- a/app/services/members/create_service.rb
+++ b/app/services/members/create_service.rb
@@ -1,22 +1,38 @@
 module Members
   class CreateService < BaseService
+    DEFAULT_LIMIT = 100
+
     def initialize(source, current_user, params = {})
       @source = source
       @current_user = current_user
       @params = params
+      @error = nil
     end
 
     def execute
-      return false if params[:user_ids].blank?
+      return error('No users specified.') if params[:user_ids].blank?
+
+      user_ids = params[:user_ids].split(',').uniq
+
+      return error("Too many users specified (limit is #{user_limit})") if
+        user_limit && user_ids.size > user_limit
 
       @source.add_users(
-        params[:user_ids].split(','),
+        user_ids,
         params[:access_level],
         expires_at: params[:expires_at],
         current_user: current_user
       )
 
-      true
+      success
+    end
+
+    private
+
+    def user_limit
+      limit = params.fetch(:limit, DEFAULT_LIMIT)
+
+      limit && limit < 0 ? nil : limit
     end
   end
 end
-- 
cgit v1.2.3