From bc71be481148f61d67b7089796fe85becabba5d3 Mon Sep 17 00:00:00 2001
From: KyryloKireiev <kirillkireev888@gmail.com>
Date: Thu, 24 Oct 2024 13:15:36 +0300
Subject: [PATCH] feat: [AXM-549] Add query limit to User Enrollments

---
 lms/djangoapps/mobile_api/users/views.py | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/lms/djangoapps/mobile_api/users/views.py b/lms/djangoapps/mobile_api/users/views.py
index b37a797403..fad1218435 100644
--- a/lms/djangoapps/mobile_api/users/views.py
+++ b/lms/djangoapps/mobile_api/users/views.py
@@ -544,6 +544,9 @@ class UserEnrollmentsStatus(views.APIView):
         less than 30 days ago or has progressed in the course in the last 30 days.
         Otherwise, the registration is considered inactive.
 
+        USER_ENROLLMENTS_LIMIT - adds users enrollments query limit to
+        safe API from possible DDOS attacks.
+
     **Example Request**
 
         GET /api/mobile/{api_version}/users/<user_name>/enrollments_status/
@@ -586,6 +589,9 @@ class UserEnrollmentsStatus(views.APIView):
         ]
         ```
     """
+
+    USER_ENROLLMENTS_LIMIT = 500
+
     def get(self, request, *args, **kwargs) -> Response:
         """
         Gets user's enrollments status.
@@ -613,7 +619,12 @@ class UserEnrollmentsStatus(views.APIView):
         Builds list with dictionaries with user's enrolments statuses.
         """
         user = get_object_or_404(User, username=username)
-        user_enrollments = CourseEnrollment.enrollments_for_user(user).select_related('course')
+        user_enrollments = (
+            CourseEnrollment
+            .enrollments_for_user(user)
+            .select_related('course')
+            [:self.USER_ENROLLMENTS_LIMIT]
+        )
         mobile_available = [
             enrollment for enrollment in user_enrollments
             if is_mobile_available_for_user(user, enrollment.course_overview)