This fixes the reported security issue. Im not sure why we are now resolving Joomla 4 security issues in public repeatedly now though.

'post' is not needed. That is the default for the first param of checkToken

Did you take a wider look, or specific to the report? What about the other 13 uses of checkToken('request') - have you ensured those are also not introducing a security issue? (hint, there is another security issue

Should a GET have the ability to set the default "home" property for a list of items by GET request, when it should only be able to be set by POST (@since 1.6)

Surely the ones using 'request' should be more specifically a "get" or a "post" (which is the default when no method set)? a method that can be called by GET and POST is probably badly coded I guess.

$this->checkToken('request'); is also used in the "Method to confirm the password request." - is that ok in context?

This fixes the reported security issue. Im not sure why we are now resolving Joomla 4 security issues in public repeatedly now though.

Joomla 4 is not released stable yet and so a pre release. As long as the reported issue is an issue only within 4.x only or as in this case only will be fixed within 4.x it got an PR in the public tracker.

Reporting it to Security@ helps to check that distinction upfront for sure.

Edit: just to make that clear the above staremant is true until 4.x is in stable state. ;-)

I have tested this item ✅ successfully on ddd8f5c

I have tested this item ✅ successfully on ddd8f5c

Thanks!

Did you take a wider look, or specific to the report? What about the other 13 uses of checkToken('request') - have you ensured those are also not introducing a security issue? (hint, there is another security issue

Oh well, you can only lead a horse to water, you cannot make it drink... Im done.