mirror of
https://github.com/discourse/discourse.git
synced 2024-11-29 12:13:58 -06:00
d5745d34c2
When creating a group membership request, there is no character limit on the 'reason' field. This can be potentially be used by an attacker to create enormous amount of data in the database. Co-authored-by: Ted Johansson <ted@discourse.org>
29 lines
682 B
Ruby
29 lines
682 B
Ruby
# frozen_string_literal: true
|
|
|
|
class GroupRequest < ActiveRecord::Base
|
|
REASON_CHARACTER_LIMIT = 280
|
|
|
|
belongs_to :group
|
|
belongs_to :user
|
|
|
|
validates :reason, length: { maximum: REASON_CHARACTER_LIMIT }
|
|
end
|
|
|
|
# == Schema Information
|
|
#
|
|
# Table name: group_requests
|
|
#
|
|
# id :bigint not null, primary key
|
|
# group_id :integer
|
|
# user_id :integer
|
|
# reason :text
|
|
# created_at :datetime not null
|
|
# updated_at :datetime not null
|
|
#
|
|
# Indexes
|
|
#
|
|
# index_group_requests_on_group_id (group_id)
|
|
# index_group_requests_on_group_id_and_user_id (group_id,user_id) UNIQUE
|
|
# index_group_requests_on_user_id (user_id)
|
|
#
|