Reputation: 35681
WebApi + OData: limit maximum results
I have a WebAPI controller that takes an ODataOptions parameter.
I want to make sure the user can't download the whole database in one swoop.
So I validated the options object:
public IHttpActionResult Get(ODataQueryOptions<ViewModel> options)
{
var oDataValidationSettings = new ODataValidationSettings
{
MaxTop = 100
}
try
{
options.Validate(oDataValidationSettings);
}
catch (ODataException ex)
{
return BadRequest("OData query validation failed: " + ex.Message);
}
//return results
}
This works great for calls like
http://host/api/controller?$filter=...&$top=1000
This returns the expected validation error message.
But it is trivially easy to circumvent by simply making a request to:
http://host/api/controller?
No $top, no nothing. This in effect returns the whole table!
The validator is not triggered if the $top parameter is not specified at all.
I could append a .Take(100) when constructing the query from the oData options, but it seems hacky.
Is there any better way to deal with a missing $top?
Upvotes: 0
Views: 1436
Answers (1)
Reputation: 340
You can try to use PageSize which will limit the number of entity been returned. Refer to this example for how to use it. https://github.com/OData/ODataSamples/tree/master/WebApi/v4/ODataPagingSample
Upvotes: 1
Related Questions
- What is the maximum length of a valid email address?
- Items count in OData v4 WebAPI response
- How limit OData results in a WebAPI
- WebApi with Odata-V4 and Dapper - Serverside filtering
- Limit serverside results from WebApi controller and ODATA w/ Nhibernate
- Where does WebAPI 2.2 OData v4 [EnableQuery] apply?
- How to force a WebAPI OData expand clause?
- WebApi with Odata NextPage and Count not appearing in the JSON response
- Web API, OData, $inlinecount and testing
- WebAPI OData routing: parameterized prefix in odataPath