Prevent deep pagination causing Solr trouble

Gemfile.lock

@@ -39,7 +39,6 @@ PATH
       kaminari
       kaminari-mongoid
       lazy_high_charts
-      mimemagic
       mongoid (>= 7.4.0)
       mongoid_auto_increment
       progressbar
@@ -285,9 +284,6 @@ GEM
       logger
       mime-types-data (~> 3.2015)
     mime-types-data (3.2024.1001)
-    mimemagic (0.4.3)
-      nokogiri (~> 1)
-      rake
     mini_mime (1.1.5)
     minitest (5.25.4)
     mongo (2.20.0)
@@ -313,11 +309,11 @@ GEM
       net-protocol
     netrc (0.11.0)
     nio4r (2.7.4)
-    nokogiri (1.18.8-arm64-darwin)
+    nokogiri (1.18.9-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.8-x86_64-darwin)
+    nokogiri (1.18.9-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.8-x86_64-linux-gnu)
+    nokogiri (1.18.9-x86_64-linux-gnu)
       racc (~> 1.4)
     optparse (0.5.0)
     orm_adapter (0.5.0)
@@ -480,7 +476,7 @@ GEM
     sunspot_test (0.4.2)
       sunspot_rails (>= 2.1.1)
       sunspot_solr
-    thor (1.3.2)
+    thor (1.4.0)
     timecop (0.9.10)
     timeout (0.4.3)
     tzinfo (2.0.6)
@@ -507,6 +503,7 @@ GEM
 PLATFORMS
   arm64-darwin-22
   arm64-darwin-23
+  arm64-darwin-24
   x86_64-darwin-22
   x86_64-darwin-23
   x86_64-darwin-24

app/controllers/supplejack_api/records_controller.rb

@@ -14,7 +14,9 @@ class RecordsController < SupplejackApplicationController
     respond_to :json, :xml, :rss
 
     def index
-      @search = SupplejackApi::RecordSearch.new(all_params)
+      options = all_params.dup
+      options['role'] = current_user&.role
+      @search = SupplejackApi::RecordSearch.new(options)
       @search.scope = current_user
 
       if @search.valid?

app/models/supplejack_api/search.rb

@@ -9,9 +9,16 @@ class Search
     def initialize(options = {})
       @original_options = options.dup
       klass = self.class
-      @options = SearchParams.new(
-        **options.merge(model_class: klass.model_class, schema_class: klass.schema_class)
-      )
+
+      @options = if options[:role].present? && options[:role].include?('anonymous')
+                   AnonymousSearchParams.new(
+                     **options.merge(model_class: klass.model_class, schema_class: klass.schema_class)
+                   )
+                 else
+                   SearchParams.new(
+                     **options.merge(model_class: klass.model_class, schema_class: klass.schema_class)
+                   )
+                 end
     end
 
     def self.model_class

app/params/supplejack_api/anonymous_mlt_params.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module SupplejackApi
+  class AnonymousMltParams < MltParams
+    self.max_values = {
+      page: 100,
+      per_page: 100
+    }
+  end
+end

app/params/supplejack_api/anonymous_search_params.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module SupplejackApi
+  class AnonymousSearchParams < SearchParams
+    self.max_values = {
+      page: 100,
+      per_page: 100,
+      facets_per_page: 350,
+      facets_page: 5000
+    }
+  end
+end

app/params/supplejack_api/concerns/helpers_params.rb

@@ -22,9 +22,13 @@ def cast_param(_name, value)
         # - the corresponding max value if it is exceeding it
         # - the value otherwise
         def integer_param(param, value)
-          if self.class.max_values[param] < value
+          # rubocop:disable Layout/LineLength
+          if param == :page && (instance_of?(AnonymousSearchParams) || instance_of?(AnonymousMltParams)) && self.class.max_values[param] < value
+            errors << "The #{param} parameter for anonymous users (without an API key) can not exceed #{self.class.max_values[param]}"
+          elsif self.class.max_values[param] < value
             errors << "The #{param} parameter can not exceed #{self.class.max_values[param]}"
           end
+          # rubocop:enable Layout/LineLength
 
           value = value.to_i
           value = [value, self.class.max_values[param]].min if self.class.max_values[param]

app/params/supplejack_api/mlt_params.rb

@@ -16,7 +16,7 @@ class MltParams < BaseParams
     class_attribute :max_values
 
     self.max_values = {
-      page: 100_000,
+      page: 50_000,
       per_page: 100
     }
 

app/params/supplejack_api/search_params.rb

@@ -27,7 +27,7 @@ class SearchParams < BaseParams
     class_attribute :max_values
 
     self.max_values = {
-      page: 100_000,
+      page: 50_000,
       per_page: 100,
       facets_per_page: 350,
       facets_page: 5000

app/solr_queries/supplejack_api/more_like_this_search.rb

@@ -5,11 +5,21 @@ class MoreLikeThisSearch < BaseSearch
     attr_reader :role, :record
 
     def initialize(record, role, params)
-      super(SupplejackApi::MltParams.new(
-        **params.merge(
-          schema_class: RecordSchema, model_class: SupplejackApi::Record
-        )
-      ))
+      mlt_params = if role.present? && role == :anonymous
+                     SupplejackApi::AnonymousMltParams.new(
+                       **params.merge(
+                         schema_class: RecordSchema, model_class: SupplejackApi::Record
+                       )
+                     )
+                   else
+                     SupplejackApi::MltParams.new(
+                       **params.merge(
+                         schema_class: RecordSchema, model_class: SupplejackApi::Record
+                       )
+                     )
+                   end
+
+      super(mlt_params)
       @record = record
       @role = role
     end

config/brakeman.ignore

@@ -0,0 +1,24 @@
+{
+  "ignored_warnings": [
+    {
+      "warning_type": "Unmaintained Dependency",
+      "warning_code": 122,
+      "fingerprint": "21ab0fe00fdd5899ffc405cff75aadb91b805ee996a614f7e27b08a287e9062d",
+      "check_name": "EOLRails",
+      "message": "Support for Rails 7.1.5.1 ends on 2025-10-01",
+      "file": "Gemfile.lock",
+      "line": 353,
+      "link": "https://brakemanscanner.org/docs/warning_types/unmaintained_dependency/",
+      "code": null,
+      "render_path": null,
+      "location": null,
+      "user_input": null,
+      "confidence": "Weak",
+      "cwe_id": [
+        1104
+      ],
+      "note": ""
+    }
+  ],
+  "brakeman_version": "7.1.0"
+}

spec/models/supplejack_api/search_spec.rb

@@ -178,33 +178,42 @@ module SupplejackApi
         expect(@search.valid?).to be false
       end
 
-      it 'sets warning if page vale is greater than 10000' do
-        search = RecordSearch.new(page: 100_001)
+      it 'sets warning if page value is greater than 100' do
+        search = RecordSearch.new(page: 101, role: 'anonymous')
         search.valid?
 
-        expect(search.errors).to include 'The page parameter can not exceed 100000'
+        # rubocop:disable Layout/LineLength
+        expect(search.errors).to include 'The page parameter for anonymous users (without an API key) can not exceed 100'
+        # rubocop:enable Layout/LineLength
       end
 
-      it 'sets warning if per_page vale is greater than 100' do
+      it 'sets warning if per_page value is greater than 100' do
         search = RecordSearch.new(per_page: 101)
         search.valid?
 
         expect(search.errors).to include 'The per_page parameter can not exceed 100'
       end
 
-      it 'sets warning if facets_per_page vale is greater than 350' do
+      it 'sets warning if facets_per_page value is greater than 350' do
         search = RecordSearch.new(facets_per_page: 351)
         search.valid?
 
         expect(search.errors).to include 'The facets_per_page parameter can not exceed 350'
       end
 
-      it 'sets warning if facets_page vale is greater than 5000' do
+      it 'sets warning if facets_page value is greater than 5000' do
         search = RecordSearch.new(facets_page: 5001)
         search.valid?
 
         expect(search.errors).to include 'The facets_page parameter can not exceed 5000'
       end
+
+      it 'sets warning if page is greater than 50000 with api key' do
+        search = RecordSearch.new('page' => '50_001', 'api_key' => 'testapikey')
+        search.valid?
+
+        expect(search.errors).to include 'The page parameter can not exceed 50000'
+      end
     end
 
     describe '#solr_search_object' do

spec/solr_queries/supplejack_api/more_like_this_search_spec.rb

@@ -97,15 +97,24 @@ module SupplejackApi
         expect(MoreLikeThisSearch.new(record, :anonymous, {}).valid?).to be true
       end
 
-      it 'sets error if page value is greater than 100_000' do
-        search = MoreLikeThisSearch.new(record, :anonymous, page: 100_001)
-        expect(search.errors).to include 'The page parameter can not exceed 100000'
+      it 'sets error if page value is greater than 100' do
+        search = MoreLikeThisSearch.new(record, :anonymous, page: 101)
+        # rubocop:disable Layout/LineLength
+        expect(search.errors).to include 'The page parameter for anonymous users (without an API key) can not exceed 100'
+        # rubocop:enable Layout/LineLength
       end
 
-      it 'sets warning if per_page vale is greater than 100' do
+      it 'sets warning if per_page value is greater than 100' do
         search = MoreLikeThisSearch.new(record, :anonymous, per_page: 101)
         expect(search.errors).to include 'The per_page parameter can not exceed 100'
       end
+
+      it 'sets warning if page is greater than 50000 with api key' do
+        search = MoreLikeThisSearch.new(record, :admin, { 'page' => 50_001, 'api_key' => 'testapikey' })
+        search.valid?
+
+        expect(search.errors).to include 'The page parameter can not exceed 50000'
+      end
     end
   end
 end

supplejack_api.gemspec

@@ -28,7 +28,6 @@ Gem::Specification.new do |s|
   s.add_dependency 'kaminari'
   s.add_dependency 'kaminari-mongoid'
   s.add_dependency 'lazy_high_charts'
-  s.add_dependency 'mimemagic'
   s.add_dependency 'mongoid', '>= 7.4.0'
   s.add_dependency 'mongoid_auto_increment'
   s.add_dependency 'progressbar'