Implemented #504

README.md

@@ -161,6 +161,7 @@ You can enable the following middleware using the "middlewares" config parameter
 - "validation": Return input validation errors for custom rules
 - "sanitation": Apply input sanitation on create and update
 - "multiTenancy": Restricts tenants access in a multi-tenant scenario
+- "pageLimits": Restricts list operations to become too heavy
 - "customization": Provides handlers for request and response customization
 
 The "middlewares" config parameter is a comma separated list of enabled middlewares.
@@ -197,6 +198,8 @@ You can tune the middleware behavior using middleware specific configuration par
 - "validation.handler": Handler to implement validation rules for input values ("")
 - "sanitation.handler": Handler to implement sanitation rules for input values ("")
 - "multiTenancy.handler": Handler to implement simple multi-tenancy rules ("")
+- "pageLimits.pages": The maximum page number that may be requested ("100")
+- "pageLimits.records": The maximum number of records that a page may contain ("1000")
 - "customization.beforeHandler": Handler to implement request customization ("")
 - "customization.afterHandler": Handler to implement response customization ("")
 

api.php

@@ -3463,6 +3463,65 @@ class MultiTenancyMiddleware extends Middleware
     }
 }
 
+// file: src/Tqdev/PhpCrudApi/Middleware/PageLimitsMiddleware.php
+
+class PageLimitsMiddleware extends Middleware
+{
+    private $reflection;
+
+    public function __construct(Router $router, Responder $responder, array $properties, ReflectionService $reflection)
+    {
+        parent::__construct($router, $responder, $properties);
+        $this->reflection = $reflection;
+        $this->utils = new RequestUtils($reflection);
+    }
+
+    private function getMissingOrderParam(ReflectedTable $table): String
+    {
+        $pk = $table->getPk();
+        if (!$pk) {
+            $columnNames = $table->getColumnNames();
+            if (!$columnNames) {
+                return '';
+            }
+            return $columnNames[0];
+        }
+        return $pk->getName();
+    }
+
+    public function handle(Request $request): Response
+    {
+        $operation = $this->utils->getOperation($request);
+        if ($operation == 'list') {
+            $tableName = $request->getPathSegment(2);
+            $table = $this->reflection->getTable($tableName);
+            if ($table) {
+                $params = $request->getParams();
+                if (!isset($params['order']) || !$params['order']) {
+                    $params['order'] = array($this->getMissingOrderParam($table));
+                }
+                $maxPage = (int) $this->getProperty('pages', '100');
+                if (isset($params['page']) && $params['page']) {
+                    if (strpos($params['page'][0], ',') === false) {
+                        $params['page'] = array(min($params['page'][0], $maxPage));
+                    } else {
+                        list($page, $size) = explode(',', $params['page'][0], 2);
+                        $params['page'] = array(min($page, $maxPage) . ',' . $size);
+                    }
+                }
+                $maxSize = (int) $this->getProperty('records', '1000');
+                if (!isset($params['size']) || !$params['size']) {
+                    $params['size'] = array($maxSize);
+                } else {
+                    $params['size'] = array(min($params['size'][0], $maxSize));
+                }
+                $request->setParams($params);
+            }
+        }
+        return $this->next->handle($request);
+    }
+}
+
 // file: src/Tqdev/PhpCrudApi/Middleware/SanitationMiddleware.php
 
 class SanitationMiddleware extends Middleware
@@ -4464,7 +4523,7 @@ class PaginationInfo
         return $offset;
     }
 
-    public function getPageSize(array $params): int
+    private function getPageSize(array $params): int
     {
         $pageSize = $this->DEFAULT_PAGE_SIZE;
         if (isset($params['page'])) {
@@ -4489,6 +4548,23 @@ class PaginationInfo
         return $numberOfRows;
     }
 
+    public function getPageLimit(array $params): int
+    {
+        $pageLimit = -1;
+        if ($this->hasPage($params)) {
+            $pageLimit = $this->getPageSize($params);
+        }
+        $resultSize = $this->getResultSize($params);
+        if ($resultSize >= 0) {
+            if ($pageLimit >= 0) {
+                $pageLimit = min($pageLimit, $resultSize);
+            } else {
+                $pageLimit = $resultSize;
+            }
+        }
+        return $pageLimit;
+    }
+
 }
 
 // file: src/Tqdev/PhpCrudApi/Record/PathTree.php
@@ -4675,11 +4751,11 @@ class RecordService
         $columnOrdering = $this->ordering->getColumnOrdering($table, $params);
         if (!$this->pagination->hasPage($params)) {
             $offset = 0;
-            $limit = $this->pagination->getResultSize($params);
+            $limit = $this->pagination->getPageLimit($params);
             $count = 0;
         } else {
             $offset = $this->pagination->getPageOffset($params);
-            $limit = $this->pagination->getPageSize($params);
+            $limit = $this->pagination->getPageLimit($params);
             $count = $this->db->selectCount($table, $condition);
         }
         $records = $this->db->selectAll($table, $columnNames, $condition, $columnOrdering, $offset, $limit);
@@ -5082,6 +5158,9 @@ class Api
                 case 'xsrf':
                     new XsrfMiddleware($router, $responder, $properties);
                     break;
+                case 'pageLimits':
+                    new PageLimitsMiddleware($router, $responder, $properties, $reflection);
+                    break;
                 case 'customization':
                     new CustomizationMiddleware($router, $responder, $properties, $reflection);
                     break;
@@ -5428,6 +5507,11 @@ class Request
         return $this->params;
     }
 
+    public function setParams(array $params) /*: void*/
+    {
+        $this->params = $params;
+    }
+
     public function getBody() /*: ?array*/
     {
         return $this->body;

src/Tqdev/PhpCrudApi/Middleware/PageLimitsMiddleware.php

@@ -0,0 +1,68 @@
+<?php
+namespace Tqdev\PhpCrudApi\Middleware;
+
+use Tqdev\PhpCrudApi\Column\ReflectionService;
+use Tqdev\PhpCrudApi\Column\Reflection\ReflectedTable;
+use Tqdev\PhpCrudApi\Controller\Responder;
+use Tqdev\PhpCrudApi\Middleware\Base\Middleware;
+use Tqdev\PhpCrudApi\Middleware\Router\Router;
+use Tqdev\PhpCrudApi\Record\RequestUtils;
+use Tqdev\PhpCrudApi\Request;
+use Tqdev\PhpCrudApi\Response;
+
+class PageLimitsMiddleware extends Middleware
+{
+    private $reflection;
+
+    public function __construct(Router $router, Responder $responder, array $properties, ReflectionService $reflection)
+    {
+        parent::__construct($router, $responder, $properties);
+        $this->reflection = $reflection;
+        $this->utils = new RequestUtils($reflection);
+    }
+
+    private function getMissingOrderParam(ReflectedTable $table): String
+    {
+        $pk = $table->getPk();
+        if (!$pk) {
+            $columnNames = $table->getColumnNames();
+            if (!$columnNames) {
+                return '';
+            }
+            return $columnNames[0];
+        }
+        return $pk->getName();
+    }
+
+    public function handle(Request $request): Response
+    {
+        $operation = $this->utils->getOperation($request);
+        if ($operation == 'list') {
+            $tableName = $request->getPathSegment(2);
+            $table = $this->reflection->getTable($tableName);
+            if ($table) {
+                $params = $request->getParams();
+                if (!isset($params['order']) || !$params['order']) {
+                    $params['order'] = array($this->getMissingOrderParam($table));
+                }
+                $maxPage = (int) $this->getProperty('pages', '100');
+                if (isset($params['page']) && $params['page']) {
+                    if (strpos($params['page'][0], ',') === false) {
+                        $params['page'] = array(min($params['page'][0], $maxPage));
+                    } else {
+                        list($page, $size) = explode(',', $params['page'][0], 2);
+                        $params['page'] = array(min($page, $maxPage) . ',' . $size);
+                    }
+                }
+                $maxSize = (int) $this->getProperty('records', '1000');
+                if (!isset($params['size']) || !$params['size']) {
+                    $params['size'] = array($maxSize);
+                } else {
+                    $params['size'] = array(min($params['size'][0], $maxSize));
+                }
+                $request->setParams($params);
+            }
+        }
+        return $this->next->handle($request);
+    }
+}