Restrict limit query parameter

src/statuses/routes.clj

@@ -1,15 +1,26 @@
 (ns statuses.routes
-  (:require [statuses.configuration :refer [config]]))
+  (:require [clojure.string :as s]
+    [statuses.configuration :refer [config]]))
+
+(defn query-params [params]
+  (let [filtered-params (into {} (remove (comp nil? second)) params)]
+    (if (empty? filtered-params)
+      ""
+      (->> filtered-params
+           (map #(str (name (key %)) "=" (val %)))
+           (s/join "&")
+           (str "?")))))
 
 (def base-template "/statuses")
 (defn base-path [] base-template)
 
 (def updates-template (str base-template "/updates"))
 (defn updates-path
-  ([] (updates-path nil))
-  ([response-format]
+  ([] (updates-path {}))
+  ([params]
    (str updates-template
-        (if response-format (str "?format=" (name response-format)) ""))))
+        (query-params (select-keys params
+                                   [:limit :offset :author :query :format])))))
 
 (def update-template (str updates-template "/:id"))
 (defn update-path [id] (str (updates-path) "/" id))
@@ -29,8 +40,8 @@
 (defn mention-path
   ([username] (mention-path username nil))
   ([username response-format]
-   (str (updates-path) "?query=@" username
-        (if response-format (str "&format=" (name response-format)) ""))))
+   (updates-path {:query (str "@" username)
+                  :format response-format})))
 
 (defn issue-path [] (config :issue-tracker-url))
 

src/statuses/routing.clj

@@ -48,24 +48,26 @@
 (defn updates-page [params request]
   (let [next (next-uri (update-in params [:offset] (partial + (:limit params))) request)
         {:keys [limit offset author query format]} params]
-    (with-etag request (:time (first (core/get-latest @db 1 offset author query)))
-      (let [items (core/label-updates :can-delete?
-                                      (partial core/can-delete? @db (user request))
-                                      (core/get-latest @db limit offset author query))]
-        (cond
-         (= format "json") (content-type
-                             "application/json"
-                             (json/as-json {:items (json-decorator/decorate items), :next next}))
-         (= format "atom") (content-type
-                             "application/atom+xml;charset=utf-8"
-                             (atom/render-atom items
-                                               (str (base-uri request) "/statuses")
-                                               (str (base-uri request)
-                                                    "/statuses/updates?"
-                                                    (:query-string request))))
-         :else (content-type
-                 "text/html;charset=utf-8"
-                 (list-page items next (user request) nil)))))))
+    (if (> limit 100)
+      (redirect (route/updates-path (assoc params :limit 100)))
+      (with-etag request (:time (first (core/get-latest @db 1 offset author query)))
+        (let [items (core/label-updates :can-delete?
+                                        (partial core/can-delete? @db (user request))
+                                        (core/get-latest @db limit offset author query))]
+          (cond
+            (= format "json") (content-type
+                                "application/json"
+                                (json/as-json {:items (json-decorator/decorate items), :next next}))
+            (= format "atom") (content-type
+                                "application/atom+xml;charset=utf-8"
+                                (atom/render-atom items
+                                                  (str (base-uri request) "/statuses")
+                                                  (str (base-uri request)
+                                                       "/statuses/updates?"
+                                                       (:query-string request))))
+            :else (content-type
+                    "text/html;charset=utf-8"
+                    (list-page items next (user request) nil))))))))
 
 (defn new-update
   "Handles the request to add a new update. Checks whether the post values 'entry-text' or

src/statuses/views/main.clj

@@ -43,7 +43,7 @@
     [:div.avatar
      (link-to (profile-path author) [:img {:src (avatar-path author) :alt author}])]
     [:div.meta
-     [:span.author (link-to (str (updates-path) "?author=" author) author)]
+     [:span.author (link-to (updates-path {:author author}) author)]
      (if in-reply-to
        [:span.reply (link-to (update-path in-reply-to) in-reply-to)])
      [:span.actions (button "reply" "Reply" "reply")

test/linkification.clj

@@ -36,13 +36,13 @@
 (deftest linkify-uris-with-fragment-identifier
   (is (=
       (linkify "lorem http://example.org#anchor ipsum")
-      "lorem <a href=\"http://example.org#anchor\">http://example.org#anchor</a> ipsum")))
+      "lorem <a href=\"http://example.org#anchor\">http://example.org#anchor</a> ipsum"))
   (is (=
       (linkify "#hashtag lipsum http://example.org#anchor-name")
       "#<a href=\"/statuses/updates?query=%23hashtag\">hashtag</a> lipsum <a href=\"http://example.org#anchor-name\">http://example.org#anchor-name</a>"))
   (is (=
       (linkify "lipsum http://example.org#anchor-name #hashtag")
-      "lipsum <a href=\"http://example.org#anchor-name\">http://example.org#anchor-name</a> #<a href=\"/statuses/updates?query=%23hashtag\">hashtag</a>"))
+      "lipsum <a href=\"http://example.org#anchor-name\">http://example.org#anchor-name</a> #<a href=\"/statuses/updates?query=%23hashtag\">hashtag</a>")))
 
 (deftest linkify-email-addresses
   (is (=

test/statuses/test/routes.clj

@@ -0,0 +1,20 @@
+(ns statuses.test.routes
+  (:require [clojure.test :refer [deftest is]]
+            [statuses.routes :as sut]))
+
+(deftest test-query-params
+  (is (=
+       (sut/query-params {})
+       ""))
+  (is (=
+       (sut/query-params {:foo "bar"})
+       "?foo=bar"))
+  (is (=
+       (sut/query-params {:foo "bar" :bar "foo"})
+       "?foo=bar&bar=foo"))
+  (is (=
+       (sut/query-params {:foo "bar" :bar nil})
+       "?foo=bar"))
+  (is (=
+       (sut/query-params {:foo nil :bar nil}))))
+