Merge pull request #10645 from tdonohue/port_10549_to_7x

[Port dspace-7_x] restrict maximum value of URL parameter rpp in OpenSearchController to a reasonable default

dspace-api/src/main/java/org/dspace/app/util/OpenSearchServiceImpl.java

@@ -101,6 +101,14 @@ public class OpenSearchServiceImpl implements OpenSearchService {
             configurationService.getProperty("websvc.opensearch.uicontext");
     }
 
+    /**
+     * Get base search UI URL (websvc.opensearch.max_num_of_items_per_request)
+     */
+    public int getMaxNumOfItemsPerRequest() {
+        return configurationService.getIntProperty(
+                "websvc.opensearch.max_num_of_items_per_request", 100);
+    }
+
     @Override
     public String getContentType(String format) {
         return "html".equals(format) ? "text/html" :

dspace-api/src/main/java/org/dspace/app/util/service/OpenSearchService.java

@@ -117,4 +117,10 @@ public interface OpenSearchService {
 
     public DSpaceObject resolveScope(Context context, String scope) throws SQLException;
 
+    /**
+     * Retrieves the maximum number of items that can be included in a single opensearch request.
+     *
+     * @return the maximum number of items allowed per request
+     */
+    int getMaxNumOfItemsPerRequest();
 }

dspace-server-webapp/src/main/java/org/dspace/app/rest/OpenSearchController.java

@@ -21,17 +21,13 @@ import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.dspace.app.rest.utils.ContextUtil;
 import org.dspace.app.rest.utils.ScopeResolver;
 import org.dspace.app.util.SyndicationFeed;
 import org.dspace.app.util.factory.UtilServiceFactory;
 import org.dspace.app.util.service.OpenSearchService;
-import org.dspace.authorize.factory.AuthorizeServiceFactory;
-import org.dspace.authorize.service.AuthorizeService;
-import org.dspace.content.factory.ContentServiceFactory;
-import org.dspace.content.service.CollectionService;
-import org.dspace.content.service.CommunityService;
 import org.dspace.core.Context;
 import org.dspace.core.LogHelper;
 import org.dspace.core.Utils;
@@ -50,7 +46,6 @@ import org.dspace.discovery.configuration.DiscoverySortFieldConfiguration;
 import org.dspace.discovery.indexobject.IndexableItem;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
-import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -67,12 +62,9 @@ import org.w3c.dom.Document;
 public class OpenSearchController {
 
     private static final Logger log = org.apache.logging.log4j.LogManager.getLogger();
-    private static final String errorpath = "/error";
+
     private List<String> searchIndices = null;
 
-    private CommunityService communityService;
-    private CollectionService collectionService;
-    private AuthorizeService authorizeService;
     private OpenSearchService openSearchService;
 
     @Autowired
@@ -99,22 +91,28 @@ public class OpenSearchController {
                          @RequestParam(name = "format", required = false) String format,
                          @RequestParam(name = "sort", required = false) String sort,
                          @RequestParam(name = "sort_direction", required = false) String sortDirection,
-                         @RequestParam(name = "scope", required = false) String dsoObject,
+                         @RequestParam(name = "scope", required = false) String dsoObject)
-                         Model model) throws IOException, ServletException {
+        throws IOException, ServletException {
         context = ContextUtil.obtainContext(request);
-        if (start == null) {
+
-            start = 0;
-        }
-        if (count == null) {
-            count = -1;
-        }
         if (openSearchService == null) {
             openSearchService = UtilServiceFactory.getInstance().getOpenSearchService();
         }
+
         if (openSearchService.isEnabled()) {
             init();
+
+            if (start == null) {
+                start = 0;
+            }
+
+            if (count == null) {
+                count = -1;
+            }
+            count = Math.min(count, openSearchService.getMaxNumOfItemsPerRequest());
+
             // get enough request parameters to decide on action to take
-            if (format == null || "".equals(format)) {
+            if (StringUtils.isEmpty(format)) {
                 // default to atom
                 format = "atom";
             }
@@ -266,9 +264,6 @@ public class OpenSearchController {
                 searchIndices.add(sFilter.getIndexFieldName());
             }
         }
-        communityService = ContentServiceFactory.getInstance().getCommunityService();
-        collectionService = ContentServiceFactory.getInstance().getCollectionService();
-        authorizeService = AuthorizeServiceFactory.getInstance().getAuthorizeService();
     }
 
     public void setOpenSearchService(OpenSearchService oSS) {

dspace/config/dspace.cfg

@@ -1362,7 +1362,8 @@ websvc.opensearch.tags = IR DSpace
 # result formats offered - use 1 or more comma-separated from: html,atom,rss
 # html uses the normal search module
 websvc.opensearch.formats = html,atom,rss
-
+# maximum number of item per request
+websvc.opensearch.max_num_of_items_per_request = 100
 
 #### Content Inline Disposition Threshold ####
 #