I missed in the GSOC project we'd started to store state fullblown in the input object which is obviously wrong. This changes it so we do webservices properly and build a state object to pass into the model. This is a moderate security fix to the unreleased webservices because potentially with this you can inject arbitrary state into the model directly from query parameters which is obviously bad.
Testing Instructions
Affected webservices (e.g. categories) continue to function with no changes from before.