From e1a5310a3acabc08bb52aa28b6b24076a471e8a5 Mon Sep 17 00:00:00 2001
From: spiral <spiral@spiral.sh>
Date: Wed, 3 Nov 2021 02:42:37 -0400
Subject: [PATCH] fix: check member/group limits before creating

---
 PluralKit.API/Controllers/v2/GroupControllerV2.cs  | 6 ++++++
 PluralKit.API/Controllers/v2/MemberControllerV2.cs | 9 +++++++--
 PluralKit.API/Errors.cs                            | 2 ++
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/PluralKit.API/Controllers/v2/GroupControllerV2.cs b/PluralKit.API/Controllers/v2/GroupControllerV2.cs
index 63f4e6a4..df4ad030 100644
--- a/PluralKit.API/Controllers/v2/GroupControllerV2.cs
+++ b/PluralKit.API/Controllers/v2/GroupControllerV2.cs
@@ -56,6 +56,12 @@ namespace PluralKit.API
         {
             var system = await ResolveSystem("@me");
 
+            // Check group cap
+            var existingGroupCount = await _repo.GetSystemGroupCount(system.Id);
+            var groupLimit = system.GroupLimitOverride ?? Limits.MaxGroupCount;
+            if (existingGroupCount >= groupLimit)
+                throw Errors.GroupLimitReached;
+
             var patch = GroupPatch.FromJson(data);
             patch.AssertIsValid();
             if (!patch.Name.IsPresent)
diff --git a/PluralKit.API/Controllers/v2/MemberControllerV2.cs b/PluralKit.API/Controllers/v2/MemberControllerV2.cs
index c7b8c090..94c92571 100644
--- a/PluralKit.API/Controllers/v2/MemberControllerV2.cs
+++ b/PluralKit.API/Controllers/v2/MemberControllerV2.cs
@@ -40,6 +40,13 @@ namespace PluralKit.API
         [HttpPost("members")]
         public async Task<IActionResult> MemberCreate([FromBody] JObject data)
         {
+            var system = await ResolveSystem("@me");
+
+            var memberCount = await _repo.GetSystemMemberCount(system.Id);
+            var memberLimit = system.MemberLimitOverride ?? Limits.MaxMemberCount;
+            if (memberCount >= memberLimit)
+                throw Errors.MemberLimitReached;
+
             var patch = MemberPatch.FromJSON(data);
             patch.AssertIsValid();
             if (!patch.Name.IsPresent)
@@ -47,8 +54,6 @@ namespace PluralKit.API
             if (patch.Errors.Count > 0)
                 throw new ModelParseError(patch.Errors);
 
-            var system = await ResolveSystem("@me");
-
             using var conn = await _db.Obtain();
             using var tx = await conn.BeginTransactionAsync();
 
diff --git a/PluralKit.API/Errors.cs b/PluralKit.API/Errors.cs
index 90281455..e19e74dc 100644
--- a/PluralKit.API/Errors.cs
+++ b/PluralKit.API/Errors.cs
@@ -94,6 +94,8 @@ namespace PluralKit.API
         public static PKError SameSwitchMembersError = new(400, 40004, "Member list identical to current fronter list.");
         public static PKError SameSwitchTimestampError = new(400, 40005, "Switch with provided timestamp already exists.");
         public static PKError InvalidSwitchId = new(400, 40006, "Invalid switch ID.");
+        public static PKError MemberLimitReached = new(400, 40007, "Member limit reached.");
+        public static PKError GroupLimitReached = new(400, 40008, "Group limit reached.");
         public static PKError Unimplemented = new(501, 50001, "Unimplemented");
     }