feat: [AXM-549] Add query limit to User Enrollments

openedx · Oct 24, 2024 · bc71be4 · bc71be4
1 parent 2077249
commit bc71be4
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/lms/djangoapps/mobile_api/users/views.py b/lms/djangoapps/mobile_api/users/views.py
@@ -544,6 +544,9 @@ class UserEnrollmentsStatus(views.APIView):
         less than 30 days ago or has progressed in the course in the last 30 days.
         Otherwise, the registration is considered inactive.
 
+        USER_ENROLLMENTS_LIMIT - adds users enrollments query limit to
+        safe API from possible DDOS attacks.
+
     **Example Request**
 
         GET /api/mobile/{api_version}/users/<user_name>/enrollments_status/
@@ -586,6 +589,9 @@ class UserEnrollmentsStatus(views.APIView):
         ]
         ```
     """
+
+    USER_ENROLLMENTS_LIMIT = 500
+
     def get(self, request, *args, **kwargs) -> Response:
         """
         Gets user's enrollments status.
@@ -613,7 +619,12 @@ def _build_enrollments_status_dict(
         Builds list with dictionaries with user's enrolments statuses.
         """
         user = get_object_or_404(User, username=username)
-        user_enrollments = CourseEnrollment.enrollments_for_user(user).select_related('course')
+        user_enrollments = (
+            CourseEnrollment
+            .enrollments_for_user(user)
+            .select_related('course')
+            [:self.USER_ENROLLMENTS_LIMIT]
+        )
         mobile_available = [
             enrollment for enrollment in user_enrollments
             if is_mobile_available_for_user(user, enrollment.course_overview)