Merge branch '345371-add-date-range-limit-in-audit-events-controllers' into 'master'

Limit audit events controller to 31 days date range

See merge request gitlab-org/gitlab!83077

ee/app/controllers/concerns/audit_events/date_range.rb

@@ -4,15 +4,30 @@ module AuditEvents
   module DateRange
     extend ActiveSupport::Concern
 
+    DATE_RANGE_LIMIT = 31
+
     included do
-      before_action :set_date_range, only: [:index]
+      before_action :set_date_range, :validate_date_range, only: [:index]
     end
 
     private
 
     def set_date_range
-      params[:created_before] = params[:created_before].nil? ? Date.current.end_of_day : Date.parse(params[:created_before]).end_of_day
-      params[:created_after] = Date.current.beginning_of_month unless params[:created_after]
+      params[:created_before] = params[:created_before].blank? ? Date.current.end_of_day : Date.parse(params[:created_before]).end_of_day
+      params[:created_after] = Date.current.beginning_of_month unless params[:created_after].present?
+    end
+
+    def validate_date_range
+      return unless (params[:created_before].to_date - params[:created_after].to_date).days > DATE_RANGE_LIMIT.days
+
+      message = _('Date range limited to %{number} days') % { number: DATE_RANGE_LIMIT }
+      respond_to do |format|
+        format.html do
+          flash[:alert] = message
+          render status: :bad_request
+        end
+        format.any { head :bad_request }
+      end
     end
   end
 end

ee/spec/controllers/admin/audit_logs_controller_spec.rb

@@ -63,6 +63,12 @@ RSpec.describe Admin::AuditLogsController do
           end
         end
       end
+
+      context 'when date range is greater than limit' do
+        subject { get :index, params: { 'created_before': created_before, 'created_after': created_after } }
+
+        it_behaves_like 'a date range error is returned'
+      end
     end
 
     context 'by user' do

ee/spec/controllers/groups/audit_events_controller_spec.rb

@@ -150,6 +150,12 @@ RSpec.describe Groups::AuditEventsController do
           end
         end
       end
+
+      context 'when date range is greater than limit' do
+        subject { get :index, params: { group_id: group.to_param, 'created_before': created_before, 'created_after': created_after } }
+
+        it_behaves_like 'a date range error is returned'
+      end
     end
 
     context 'when authorized owner' do

ee/spec/controllers/projects/audit_events_controller_spec.rb

@@ -126,6 +126,12 @@ RSpec.describe Projects::AuditEventsController do
           end
         end
       end
+
+      context 'when date range is greater than limit' do
+        subject { get :index, params: { project_id: project.to_param, namespace_id: project.namespace.to_param, 'created_before': created_before, 'created_after': created_after } }
+
+        it_behaves_like 'a date range error is returned'
+      end
     end
 
     shared_examples 'pagination' do

ee/spec/support/shared_examples/controllers/date_range_validation_shared_examples.rb

+# frozen_string_literal: true
+
+RSpec.shared_examples 'a date range error is returned' do
+  using RSpec::Parameterized::TableSyntax
+
+  where(:created_after, :created_before) do
+    '2021-01-01' | '2021-02-02'
+    '2022-01-31' | nil
+  end
+  with_them do
+    it 'returns an error' do
+      subject
+
+      expect(response).to have_gitlab_http_status(:bad_request)
+      expect(flash[:alert]).to eq 'Date range limited to 31 days'
+    end
+  end
+end