fix(api): correct critical bug in preference limit validation

fulleni · fulleni · commit 553a00ac643d · 2025-11-11T10:58:58.000+01:00
This commit fixes a critical bug in the DefaultUserPreferenceLimitService where interest-specific limits (pinned filters and notification subscriptions) were not being checked correctly.

Previously, the logic only ran if it detected a single added or updated interest, which meant the limits were completely bypassed if a user updated their preferences without changing an interest, or if they changed multiple interests at once.

The logic has been corrected to be stateless. It now validates the entire proposed updatedPreferences state on every request, ensuring that the total counts for pinned filters and all notification subscription types are always checked against the user's role-based limits. This closes the loophole that could have allowed users to exceed their configured limits.
diff --git a/lib/src/services/default_user_preference_limit_service.dart b/lib/src/services/default_user_preference_limit_service.dart
@@ -108,78 +108,51 @@ class DefaultUserPreferenceLimitService implements UserPreferenceLimitService {
       );
     }
 
-    // Find the interest that was added or updated to check its specific limits.
-    // This logic assumes only one interest is added or updated per request.
-    final currentInterestIds = currentPreferences.interests
-        .map((i) => i.id)
-        .toSet();
-    Interest? changedInterest;
-
-    for (final updatedInterest in updatedPreferences.interests) {
-      if (!currentInterestIds.contains(updatedInterest.id)) {
-        // This is a newly added interest.
-        changedInterest = updatedInterest;
-        break;
-      } else {
-        // This is a potentially updated interest. Find the original.
-        final originalInterest = currentPreferences.interests.firstWhere(
-          (i) => i.id == updatedInterest.id,
-        );
-        if (updatedInterest != originalInterest) {
-          changedInterest = updatedInterest;
-          break;
-        }
-      }
+    // Check total number of pinned feed filters.
+    final pinnedCount = updatedPreferences.interests
+        .where((i) => i.isPinnedFeedFilter)
+        .length;
+    if (pinnedCount > interestLimits.pinnedFeedFilters) {
+      _log.warning(
+        'User ${user.id} exceeded pinned feed filter limit: '
+        '${interestLimits.pinnedFeedFilters} (attempted $pinnedCount).',
+      );
+      throw ForbiddenException(
+        'You have reached your limit of ${interestLimits.pinnedFeedFilters} '
+        'pinned feed filters.',
+      );
     }
 
-    // If an interest was added or updated, check its specific limits.
-    if (changedInterest != null) {
-      _log.info('Checking limits for changed interest: ${changedInterest.id}');
+    // Check notification subscription limits for each possible delivery type.
+    for (final deliveryType
+        in PushNotificationSubscriptionDeliveryType.values) {
+      final notificationLimit = interestLimits.notifications[deliveryType];
+      if (notificationLimit == null) {
+        _log.severe(
+          'Notification limit for type ${deliveryType.name} not found for '
+          'role ${user.appRole}. Denying request by default.',
+        );
+        throw ForbiddenException(
+          'Notification limits for ${deliveryType.name} are not configured.',
+        );
+      }
 
-      // Check total number of pinned feed filters.
-      final pinnedCount = updatedPreferences.interests
-          .where((i) => i.isPinnedFeedFilter)
+      // Count how many of the user's proposed interests include this type.
+      final subscriptionCount = updatedPreferences.interests
+          .where((i) => i.deliveryTypes.contains(deliveryType))
           .length;
-      if (pinnedCount > interestLimits.pinnedFeedFilters) {
+
+      if (subscriptionCount > notificationLimit) {
         _log.warning(
-          'User ${user.id} exceeded pinned feed filter limit: '
-          '${interestLimits.pinnedFeedFilters} (attempted $pinnedCount).',
+          'User ${user.id} exceeded notification limit for '
+          '${deliveryType.name}: $notificationLimit '
+          '(attempted $subscriptionCount).',
         );
         throw ForbiddenException(
-          'You have reached your limit of ${interestLimits.pinnedFeedFilters} '
-          'pinned feed filters.',
+          'You have reached your limit of $notificationLimit '
+          '${deliveryType.name} notification subscriptions.',
         );
       }
-
-      // Check notification subscription limits for each type.
-      for (final deliveryType in changedInterest.deliveryTypes) {
-        final notificationLimit = interestLimits.notifications[deliveryType];
-        if (notificationLimit == null) {
-          _log.severe(
-            'Notification limit for type ${deliveryType.name} not found for '
-            'role ${user.appRole}. Denying request by default.',
-          );
-          throw ForbiddenException(
-            'Notification limits for ${deliveryType.name} are not configured.',
-          );
-        }
-
-        final subscriptionCount = updatedPreferences.interests
-            .where((i) => i.deliveryTypes.contains(deliveryType))
-            .length;
-
-        if (subscriptionCount > notificationLimit) {
-          _log.warning(
-            'User ${user.id} exceeded notification limit for '
-            '${deliveryType.name}: $notificationLimit '
-            '(attempted $subscriptionCount).',
-          );
-          throw ForbiddenException(
-            'You have reached your limit of $notificationLimit '
-            '${deliveryType.name} notification subscriptions.',
-          );
-        }
-      }
     }
 
     _log.info(
