FIX: validate poll parameters when type=multiple

plugins/poll/assets/javascripts/poll_dialect.js

@@ -57,7 +57,7 @@
       if (attributes[DATA_PREFIX + "type"] === "number") {
         // default values
         if (isNaN(min)) { min = 1; }
-        if (isNaN(max)) { max = 10; }
+        if (isNaN(max)) { max = Discourse.SiteSettings.poll_maximum_options; }
         if (isNaN(step)) { step = 1; }
         // dynamically generate options
         contents.push(["bulletlist"]);

plugins/poll/config/locales/client.en.yml

@@ -21,9 +21,9 @@ en:
 
       multiple:
         help:
-          at_least_min_options: "You may choose at least <strong>%{count}</strong> options."
+          at_least_min_options: "You must choose at least <strong>%{count}</strong> options."
           up_to_max_options: "You may choose up to <strong>%{count}</strong> options."
-          x_options: "You may choose <strong>%{count}</strong> options."
+          x_options: "You must choose <strong>%{count}</strong> options."
           between_min_and_max_options: "You may choose between <strong>%{min}</strong> and <strong>%{max}</strong> options."
 
       cast-votes:

plugins/poll/config/locales/server.en.yml

@@ -23,6 +23,9 @@ en:
     default_poll_must_have_different_options: "Poll must have different options."
     named_poll_must_have_different_options: "Poll named <strong>%{name}</strong> must have different options."
 
+    default_poll_with_multiple_choices_has_invalid_parameters: "Poll with multiple choices has invalid parameters."
+    named_poll_with_multiple_choices_has_invalid_parameters: "Poll named <strong>%{name}</strong> with multiple choice has invalid parameters."
+
     requires_at_least_1_valid_option: "You must select at least 1 valid option."
 
     cannot_change_polls_after_5_minutes: "You cannot add, remove or rename polls after the first 5 minutes."

plugins/poll/plugin.rb

@@ -248,6 +248,19 @@ after_initialize do
         return
       end
 
+      # poll with multiple choices
+      if poll["type"] == "multiple"
+        min = (poll["min"].presence || 1).to_i
+        max = (poll["max"].presence || poll["options"].size).to_i
+
+        if min > max || max <= 0 || max > poll["options"].size || min >= poll["options"].size
+          poll["name"] == DEFAULT_POLL_NAME ?
+            self.errors.add(:base, I18n.t("poll.default_poll_with_multiple_choices_has_invalid_parameters")) :
+            self.errors.add(:base, I18n.t("poll.named_poll_with_multiple_choices_has_invalid_parameters", name: poll["name"]))
+          return
+         end
+      end
+
       # store the valid poll
       polls[poll["name"]] = poll
     end

plugins/poll/spec/controllers/posts_controller_spec.rb

@@ -49,6 +49,13 @@ describe PostsController do
       expect(json["errors"][0]).to eq(I18n.t("poll.default_poll_must_have_less_options", max: SiteSetting.poll_maximum_options))
     end
 
+    it "should have valid parameters" do
+      xhr :post, :create, { title: title, raw: "[poll type=multiple min=5]\n- A\n- B[/poll]" }
+      expect(response).not_to be_success
+      json = ::JSON.parse(response.body)
+      expect(json["errors"][0]).to eq(I18n.t("poll.default_poll_with_multiple_choices_has_invalid_parameters"))
+    end
+
     it "prevents self-xss" do
       xhr :post, :create, { title: title, raw: "[poll name=<script>alert('xss')</script>]\n- A\n- B\n[/poll]" }
       expect(response).to be_success