From cd8f165a17b8d37f90b938e76dd589fa5610de8e Mon Sep 17 00:00:00 2001
From: Sam <sam@sam.wf>
Date: Wed, 19 Apr 2023 17:21:02 +0200
Subject: [PATCH] fix(backend): check number of custom preferences in patch

---
 backend/routes/user/patch_user.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/backend/routes/user/patch_user.go b/backend/routes/user/patch_user.go
index 5507b45..8375a0a 100644
--- a/backend/routes/user/patch_user.go
+++ b/backend/routes/user/patch_user.go
@@ -120,6 +120,10 @@ func (s *Server) patchUser(w http.ResponseWriter, r *http.Request) error {
 
 	// validate custom preferences
 	if req.CustomPreferences != nil {
+		if count := len(*req.CustomPreferences); count > db.MaxFields {
+			return server.APIError{Code: server.ErrBadRequest, Details: fmt.Sprintf("Too many custom preferences (max %d, current %d)", db.MaxFields, count)}
+		}
+
 		for k, v := range *req.CustomPreferences {
 			_, err := uuid.Parse(k)
 			if err != nil {