limit number of posts per request muchdogesec/obstracts#489 (#217)

fqrious · web-flow · commit f220088c4d75 · 2026-04-13T16:20:02.000+01:00
diff --git a/history4feed/app/serializers.py b/history4feed/app/serializers.py
@@ -2,6 +2,8 @@
 from .models import AUTO_TITLE_TRAIL, FEED_DESCRIPTION_MAX_LENGTH, Category, Feed, Post, Job, normalize_url, FeedType, title_as_string
 from django.db import models as django_models
 from django.utils.translation import gettext_lazy as _
+from .settings import history4feed_server_settings
+
 
 class TitleField(serializers.CharField):
     def to_internal_value(self, data):
@@ -155,7 +157,7 @@ class Meta:
 
     
 class CreatePostsSerializer(serializers.Serializer):
-    posts = serializers.ListField(child=PostCreateSerializer(), allow_empty=False)
+    posts = serializers.ListField(child=PostCreateSerializer(), allow_empty=False, max_length=history4feed_server_settings.CREATE_POSTS_MAX_LENGTH)
 
 
     def create(self, validated_data):
diff --git a/history4feed/app/settings.py b/history4feed/app/settings.py
@@ -15,6 +15,7 @@
     'HISTORY4FEED_NAMESPACE': uuid.UUID("6c6e6448-04d4-42a3-9214-4f0f7d02694e"),
     "BRAVE_SEARCH_API_KEY": None,
     "FULLTEXT_FETCH_TIMEOUT_SECONDS": 100, # time limit for fulltext fetch tasks
+    "CREATE_POSTS_MAX_LENGTH": 100, # maximum number of posts that can be created in a single request
 }
 
 IMPORT_STRINGS = [
@@ -28,7 +29,7 @@ class History4FeedServerSettings(APISettings):
     HISTORY4FEED_NAMESPACE : str|uuid.UUID
     BRAVE_SEARCH_API_KEY: str
     FULLTEXT_FETCH_TIMEOUT_SECONDS: int
-
+    CREATE_POSTS_MAX_LENGTH: int
     @property
     def user_settings(self):
         if not hasattr(self, '_user_settings'):
diff --git a/history4feed/app/views.py b/history4feed/app/views.py
@@ -56,6 +56,7 @@
 from datetime import datetime
 import textwrap
 import django.utils
+from django.db import transaction
 
 from history4feed.app import serializers
 
@@ -679,6 +680,7 @@ def get_queryset(self):
         },
         request=CreatePostsSerializer,
     )
+    @transaction.atomic
     def create(self, request, *args, feed_id=None, **kwargs):
         job_obj = self.new_create_post_job(request, feed_id)
         job_resp = JobSerializer(job_obj).data.copy()
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "history4feed"
-version = "1.2.1"
+version = "1.2.2"
 authors = [
   { name = "dogesec" }
 ]
diff --git a/tests/src/test_serializers.py b/tests/src/test_serializers.py
@@ -26,6 +26,52 @@ def test_create_posts_serializer__existing_url(feed_posts):
     assert serializer.errors['posts'][0]['link'][0] == f'Post at `{post.link}` already exists in feed.'
 
 
+@pytest.mark.django_db
+def test_create_posts_serializer__CREATE_POSTS_MAX_LENGTH():
+    """Test that CreatePostsSerializer uses CREATE_POSTS_MAX_LENGTH from settings"""
+    from history4feed.app.settings import history4feed_server_settings
+    from unittest.mock import patch
+    import importlib
+    
+    # Mock the settings value before the serializer class is evaluated
+    with patch.object(history4feed_server_settings, 'CREATE_POSTS_MAX_LENGTH', 2):
+        # Reload the serializers module so it picks up the mocked value
+        import history4feed.app.serializers as serializers_module
+        importlib.reload(serializers_module)
+        
+        # Now create the serializer with 3 posts (exceeds limit of 2)
+        serializer = serializers_module.CreatePostsSerializer(data={
+            "posts": [
+                {
+                    "title": "Post 1",
+                    "link": "https://example.com/post1",
+                    "pubdate": datetime.now(UTC).isoformat(),
+                    "author": "Author",
+                    "categories": ["Category1"],
+                },
+                {
+                    "title": "Post 2",
+                    "link": "https://example.com/post2",
+                    "pubdate": datetime.now(UTC).isoformat(),
+                    "author": "Author",
+                    "categories": ["Category2"],
+                },
+                {
+                    "title": "Post 3",
+                    "link": "https://example.com/post3",
+                    "pubdate": datetime.now(UTC).isoformat(),
+                    "author": "Author",
+                    "categories": ["Category3"],
+                }
+            ]
+        })
+        
+        assert not serializer.is_valid()
+        assert 'posts' in serializer.errors
+        assert 'Ensure this field has no more than 2' in str(serializer.errors['posts'][0])
+    
+    # Reload again to restore the original module state
+    importlib.reload(serializers_module)
 
 @pytest.mark.django_db
 def test_post_serializer_excludes_description():

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ build-backend = "hatchling.build"`
`4`	`4`
`5`	`5`	`[project]`
`6`	`6`	`name = "history4feed"`
`7`		`-version = "1.2.1"`
	`7`	`+version = "1.2.2"`
`8`	`8`	`authors = [`
`9`	`9`	`{ name = "dogesec" }`
`10`	`10`	`]`