Skip to content

hardcode some limits (for now) #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
naps62 wants to merge 4 commits into
base: main
Choose a base branch
from
Open

hardcode some limits (for now) #75

naps62 wants to merge 4 commits into from

Conversation

@naps62
Copy link
Member

@naps62 naps62 commented Jan 14, 2026

No description provided.

Copilot AI review requested due to automatic review settings January 14, 2026 14:58
@vercel
Copy link

vercel bot commented Jan 14, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
stacks Ready Ready Preview, Comment Jan 14, 2026 3:02pm

Copilot AI reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds hardcoded resource limits to prevent unbounded stack creation in the system. It introduces a per-user limit of 3 stacks and a global limit of 100 stacks across all users.

Changes:

  • Added limit constants and validation functions to check user and global stack counts
  • Refactored create_stack functions to validate limits before insertion
  • Added error handling in the stack controller for limit exceeded scenarios

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
server/lib/ethui/stacks.ex Adds limit constants, count queries, validation functions, and integrates limit checks into stack creation logic
server/lib/ethui_web/controllers/api/stack_controller.ex Adds HTTP error responses (403/503) for user and global limit exceeded scenarios
Comments suppressed due to low confidence (2)

server/lib/ethui/stacks.ex:159

  • The limit checking has a race condition vulnerability. The count is checked separately from the insert operation, which means multiple concurrent requests could pass the limit check before any insertions complete. This could allow the global limit to be exceeded.

Consider wrapping the count check and insert in a database transaction, or using a database constraint to enforce the limit atomically.


  def get_user_stack_by_slug(nil, slug) do
    Repo.get_by(Stack, slug: slug)
    |> Repo.preload(:api_key)
  end

server/lib/ethui/stacks.ex:164

  • The limit checking has a race condition vulnerability. The count is checked separately from the insert operation, which means multiple concurrent requests could pass the limit check before any insertions complete. This could allow users to exceed both the per-user limit and global limit.

Consider wrapping the count check and insert in a database transaction, or using a database constraint to enforce the limits atomically. For example, you could add the count check as part of the Ecto.Multi transaction.

    get_user_stack_by_slug(user_id, slug)
  end

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

server/lib/ethui_web/controllers/api/stack_controller.ex
Comment on lines +57 to +71
{:error, :user_limit_exceeded} ->
conn
|> put_status(403)
|> json(%{
status: "error",
error: "User stack limit reached (maximum 3 stacks per user)"
})

{:error, :global_limit_exceeded} ->
conn
|> put_status(503)
|> json(%{
status: "error",
error: "Global stack limit reached (maximum 100 stacks)"
})
Copy link

Copilot AI Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new limit enforcement behavior lacks test coverage. Given that the repository has comprehensive test coverage for the stack controller (as seen in stack_controller_test.exs), tests should be added to verify:

  1. That creating a stack succeeds when under the user limit
  2. That creating a 4th stack for the same user returns a 403 error with the appropriate message
  3. That creating a stack when the global limit is reached returns a 503 error with the appropriate message
  4. That different users can each create up to 3 stacks

Copilot uses AI. Check for mistakes.
server/lib/ethui_web/controllers/api/stack_controller.ex
Comment on lines +57 to +71
{:error, :user_limit_exceeded} ->
conn
|> put_status(403)
|> json(%{
status: "error",
error: "User stack limit reached (maximum 3 stacks per user)"
})

{:error, :global_limit_exceeded} ->
conn
|> put_status(503)
|> json(%{
status: "error",
error: "Global stack limit reached (maximum 100 stacks)"
})
Copy link

Copilot AI Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The hardcoded limit values in the error messages create a maintainability issue. If the module constants @max_stacks_per_user or @max_total_stacks are changed, these error messages will become inaccurate.

Consider using string interpolation to reference the module constants directly, e.g., "User stack limit reached (maximum #{@max_stacks_per_user} stacks per user)" and "Global stack limit reached (maximum #{@max_total_stacks} stacks)".

Copilot uses AI. Check for mistakes.
@naps62 naps62 requested a review from ZePedroResende January 14, 2026 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ZePedroResende ZePedroResende Awaiting requested review from ZePedroResende

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@naps62