diff --git a/packages/worker/src/api/controllers/global/users.ts b/packages/worker/src/api/controllers/global/users.ts index 0520990f2f..b0e3219656 100644 --- a/packages/worker/src/api/controllers/global/users.ts +++ b/packages/worker/src/api/controllers/global/users.ts @@ -195,7 +195,11 @@ export const search = async (ctx: Ctx) => { if (filters && typeof filters === "object") { for (let [field, value] of Object.entries(filters)) { delete filters[field] - filters[db.removeKeyNumbering(field)] = value + const cleanedField = db.removeKeyNumbering(field) + if (filters[cleanedField] !== undefined) { + ctx.throw(400, "Only 1 filter per field is supported") + } + filters[cleanedField] = value } } } diff --git a/packages/worker/src/api/routes/global/tests/users.spec.ts b/packages/worker/src/api/routes/global/tests/users.spec.ts index 1365173b21..c792de70a9 100644 --- a/packages/worker/src/api/routes/global/tests/users.spec.ts +++ b/packages/worker/src/api/routes/global/tests/users.spec.ts @@ -617,6 +617,36 @@ describe("/api/global/users", () => { expect(response.body.data[0]._id).toBe(user._id) }) + it("should throw an error when using multiple filters on the same field", async () => { + const user = await config.createUser() + await config.api.users.searchUsers( + { + query: { + string: { + ["1:email"]: user.email, + ["2:email"]: "something else", + }, + }, + }, + { status: 400 } + ) + }) + + it("should throw an error when using multiple filters on the same field without prefixes", async () => { + const user = await config.createUser() + await config.api.users.searchUsers( + { + query: { + string: { + ["_id"]: user.email, + ["999:_id"]: "something else", + }, + }, + }, + { status: 400 } + ) + }) + it("should throw an error when unimplemented options used", async () => { const user = await config.createUser() await config.api.users.searchUsers(