Fix missing value limits for UserRole position (#33172)

2024-12-22 07:05:23 +01:00 · 2024-12-18 03:29:27 -05:00 · 2024-12-18 03:29:27 -05:00 · ca2a7d66b8
commit ca2a7d66b8
parent 1992c2a4fa
2 changed files with 13 additions and 0 deletions
--- a/app/models/user_role.rb
+++ b/app/models/user_role.rb
@ -41,6 +41,8 @@ class UserRole < ApplicationRecord
  EVERYONE_ROLE_ID = -99
  NOBODY_POSITION = -1

+  POSITION_LIMIT = 2**31
+
  module Flags
    NONE = 0
    ALL  = FLAGS.values.reduce(&:|)
@ -89,6 +91,7 @@ class UserRole < ApplicationRecord

  validates :name, presence: true, unless: :everyone?
  validates :color, format: { with: /\A#?(?:[A-F0-9]{3}){1,2}\z/i }, unless: -> { color.blank? }
+  validates :position, numericality: { greater_than_or_equal_to: -POSITION_LIMIT, less_than_or_equal_to: POSITION_LIMIT }

  validate :validate_permissions_elevation
  validate :validate_position_elevation
--- a/spec/models/user_role_spec.rb
+++ b/spec/models/user_role_spec.rb
@ -18,6 +18,16 @@ RSpec.describe UserRole do
      end
    end

+    describe 'position' do
+      subject { Fabricate.build :user_role }
+
+      let(:excess) { 2**32 }
+      let(:limit) { 2**31 }
+
+      it { is_expected.to_not allow_values(-excess, excess).for(:position) }
+      it { is_expected.to allow_values(-limit, limit).for(:position) }
+    end
+
    describe 'color' do
      it { is_expected.to allow_values('#112233', '#aabbcc', '').for(:color) }
      it { is_expected.to_not allow_values('x', '112233445566', '#xxyyzz').for(:color) }