Refs #621. Provides default maxLimit for pagination to prevent url manipulation causing long queries.

cake/libs/controller/controller.php

@@ -112,7 +112,7 @@ class Controller extends Object {
  * @var array
  * @link http://book.cakephp.org/view/1231/Pagination
  */
-	public $paginate = array('limit' => 20, 'page' => 1);
+	public $paginate = array('limit' => 20, 'page' => 1, 'maxLimit' => 100);
 
 /**
  * The name of the views subfolder containing views for this controller.
@@ -1074,8 +1074,8 @@ class Controller extends Object {
 			unset($defaults[0]);
 		}
 
-		$options = array_merge(array('page' => 1, 'limit' => 20), $defaults, $options);
-		$options['limit'] = (int) $options['limit'];
+		$options = array_merge(array('page' => 1, 'limit' => 20, 'maxLimit' => 100), $defaults, $options);
+		$options['limit'] = min((int)$options['limit'], $options['maxLimit']);
 		if (empty($options['limit']) || $options['limit'] < 1) {
 			$options['limit'] = 1;
 		}
@@ -1114,7 +1114,7 @@ class Controller extends Object {
 		} elseif (intval($page) < 1) {
 			$options['page'] = $page = 1;
 		}
-		$page = $options['page'] = (integer)$page;
+		$page = $options['page'] = (int)$page;
 
 		if (method_exists($object, 'paginate')) {
 			$results = $object->paginate(

cake/tests/cases/libs/controller/controller.test.php

@@ -750,6 +750,45 @@ class ControllerTest extends CakeTestCase {
 		$this->assertEqual($Controller->ControllerPaginateModel->extraCount, $expected);
 	}
 
+/**
+ * testPaginateMaxLimit
+ *
+ * @return void
+ * @access public
+ */
+	function testPaginateMaxLimit() {
+		$request = new CakeRequest('controller_posts/index');
+		$request->params['pass'] = $request->params['named'] = array();
+
+		$Controller = new Controller($request);
+
+		$Controller->uses = array('ControllerPost', 'ControllerComment');
+		$Controller->passedArgs[] = '1';
+		$Controller->params['url'] = array();
+		$Controller->constructClasses();
+
+		$Controller->passedArgs = array('contain' => array('ControllerComment'), 'limit' => '1000');
+		$result = $Controller->paginate('ControllerPost');
+		$this->assertEqual($Controller->params['paging']['ControllerPost']['options']['limit'], 100);
+
+		$Controller->passedArgs = array('contain' => array('ControllerComment'), 'limit' => '1000', 'maxLimit' => 1000);
+		$result = $Controller->paginate('ControllerPost');
+		$this->assertEqual($Controller->params['paging']['ControllerPost']['options']['limit'], 100);
+
+		$Controller->passedArgs = array('contain' => array('ControllerComment'), 'limit' => '10');
+		$result = $Controller->paginate('ControllerPost');
+		$this->assertEqual($Controller->params['paging']['ControllerPost']['options']['limit'], 10);
+
+		$Controller->passedArgs = array('contain' => array('ControllerComment'), 'limit' => '1000');
+		$Controller->paginate = array('maxLimit' => 2000);
+		$result = $Controller->paginate('ControllerPost');
+		$this->assertEqual($Controller->params['paging']['ControllerPost']['options']['limit'], 1000);
+
+		$Controller->passedArgs = array('contain' => array('ControllerComment'), 'limit' => '5000');
+		$result = $Controller->paginate('ControllerPost');
+		$this->assertEqual($Controller->params['paging']['ControllerPost']['options']['limit'], 2000);
+	}
+
 /**
  * testPaginateFieldsDouble method
  *
@@ -820,6 +859,7 @@ class ControllerTest extends CakeTestCase {
 			'fields' => array(),
 			'order' => '',
 			'limit' => 5,
+			'maxLimit' => 100,
 			'page' => 1,
 			'recursive' => -1,
 			'conditions' => array()