From fa2aafe41fdda08d920af48bb8b2217c46b54ccf Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Wed, 12 Nov 2025 20:19:52 +0000
Subject: [PATCH] Set a limit on number of users for group user loading

---
 .env.example                                     |  2 +-
 app/Http/Controllers/GroupsController.php        | 12 ++++++++++--
 config/app.php                                   | 12 +++++++++++-
 resources/lang/en-US/admin/settings/general.php  |  1 +
 resources/views/blade/form-legend-help.blade.php |  6 +++++-
 resources/views/blade/form-legend.blade.php      |  3 ++-
 resources/views/groups/edit.blade.php            | 10 ++++++++--
 7 files changed, 38 insertions(+), 8 deletions(-)

diff --git a/.env.example b/.env.example
index 9dd34d0881..b850885002 100644
--- a/.env.example
+++ b/.env.example
@@ -197,7 +197,7 @@ REPORT_TIME_LIMIT=12000
 API_THROTTLE_PER_MINUTE=120
 CSV_ESCAPE_FORMULAS=true
 LIVEWIRE_URL_PREFIX=null
-
+MAX_UNPAGINATED=5000
 
 # --------------------------------------------
 # OPTIONAL: SAML SETTINGS
diff --git a/app/Http/Controllers/GroupsController.php b/app/Http/Controllers/GroupsController.php
index 82a17ddd16..0e83eb9aff 100755
--- a/app/Http/Controllers/GroupsController.php
+++ b/app/Http/Controllers/GroupsController.php
@@ -48,7 +48,9 @@ class GroupsController extends Controller
         return view('groups/edit', compact('permissions', 'selectedPermissions', 'groupPermissions'))
             ->with('group', $group)
             ->with('associated_users', [])
-            ->with('unselected_users', $users);
+            ->with('unselected_users', $users)
+            ->with('all_users_count', $users->count())
+            ;
     }
 
     /**
@@ -108,7 +110,13 @@ class GroupsController extends Controller
         // Get the unselected users
         $unselected_users = \App\Models\User::whereNotIn('id', $associated_users->pluck('id')->toArray())->orderBy('first_name', 'asc')->orderBy('last_name', 'asc')->get();
 
-        return view('groups.edit', compact('group', 'permissions', 'selected_array', 'groupPermissions'))->with('associated_users', $associated_users)->with('unselected_users', $unselected_users);
+        // We need the total to see whether or not we should show the user selection box :(
+        $all_users_count = $associated_users->count() + $unselected_users->count();
+
+        return view('groups.edit', compact('group', 'permissions', 'selected_array', 'groupPermissions'))
+            ->with('associated_users', $associated_users)
+            ->with('unselected_users', $unselected_users)
+            ->with('all_users_count', $all_users_count);
     }
 
     /**
diff --git a/config/app.php b/config/app.php
index 8dc0b82312..428f16fe22 100755
--- a/config/app.php
+++ b/config/app.php
@@ -448,5 +448,15 @@ return [
   */
 
     'escape_formulas' => env('CSV_ESCAPE_FORMULAS', true),
-    
+
+  /*
+  |--------------------------------------------------------------------------
+  | Max Unpaginated Records
+  |--------------------------------------------------------------------------
+  | This sets the maximum number of records that can be exported or
+  | viewed without pagination. This is to prevent server timeouts.
+  */
+
+    'max_unpaginated_records' => env('MAX_UNPAGINATED', '5000'),
+
 ];
diff --git a/resources/lang/en-US/admin/settings/general.php b/resources/lang/en-US/admin/settings/general.php
index 41c608c7ba..59b443af31 100644
--- a/resources/lang/en-US/admin/settings/general.php
+++ b/resources/lang/en-US/admin/settings/general.php
@@ -423,6 +423,7 @@ return [
     'redirect_url' => 'Redirect URL',
     'client_secret' => 'Client Secret',
     'client_id' => 'Client ID',
+    'too_many_users_to_show' => 'The number of users (:count) is larger than the unpaginated record limit (:max). Use the bulk user edit tool to manage group memberships.',
 
     'username_formats' => [
         'username_format'		=> 'Username Format',
diff --git a/resources/views/blade/form-legend-help.blade.php b/resources/views/blade/form-legend-help.blade.php
index 6d1c2ab744..145c01e7d7 100644
--- a/resources/views/blade/form-legend-help.blade.php
+++ b/resources/views/blade/form-legend-help.blade.php
@@ -1,5 +1,9 @@
+@props([
+    'icon' => null,
+])
+
 <!-- Form Legend Help Component -->
 <p class="callout-subtext">
-    <x-icon type="tip" class="text-info" />
+    <x-icon type="{{ $icon ?? 'tip' }}" class="text-info" />
     {!! $slot !!}
 </p>
diff --git a/resources/views/blade/form-legend.blade.php b/resources/views/blade/form-legend.blade.php
index de4c70554b..3350c19df0 100644
--- a/resources/views/blade/form-legend.blade.php
+++ b/resources/views/blade/form-legend.blade.php
@@ -1,5 +1,6 @@
 @props([
     'help_text' => null,
+    'icon' => null,
 ])
 <!-- Form Legend Component -->
 <legend class="callout callout-legend">
@@ -8,7 +9,7 @@
     </h4>
 
     @if ($help_text)
-        <x-form-legend-help>
+        <x-form-legend-help :icon="$icon">
             {!!  $help_text !!}
         </x-form-legend-help>
     @endif
diff --git a/resources/views/groups/edit.blade.php b/resources/views/groups/edit.blade.php
index 7464308418..81c02dd826 100755
--- a/resources/views/groups/edit.blade.php
+++ b/resources/views/groups/edit.blade.php
@@ -41,16 +41,19 @@
 
 
 <fieldset>
-    <x-form-legend help_text="{{ trans('general.add_users_to_group_help') }}">
-        {{ trans('general.add_users_to_group') }}
+    <x-form-legend icon="warning" help_text="{{ (isset($all_users_count) && ($all_users_count < config('app.max_unpaginated_records'))) ? trans('general.add_users_to_group_help') : trans('admin/settings/general.too_many_users_to_show', ['count'=> $all_users_count, 'max' => config('app.max_unpaginated_records')]) }}">
+       {{ trans('general.add_users_to_group') }}
     </x-form-legend>
 
 <!-- this is a temp fix for the select2 not working inside modals -->
 
 
+
     <div class="form-group">
         <div class="col-md-12">
 
+        @if(($all_users_count ) && ($all_users_count < config('app.max_unpaginated_records')))
+
         <!-- This hidden input will store the selected user IDs as a comma-separated string to avoid max_input_vars and max_multipart_body_parts php.ini issues -->
         <input type="hidden" name="users_to_sync" id="hidden_ids_box" class="form-control" value="{{ ($associated_users && is_array($associated_users)) ? implode(",", $associated_users->pluck('id')->toArray()) :  '' }}"/>
 
@@ -95,9 +98,12 @@
                 </div>
 
         </div>
+
     </div>
 </div>
 </fieldset>
+@endif
+
 
 <div class="col-md-12">
     @include ('partials.forms.edit.permissions-base', ['use_inherit' => false])