Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#40998] - Remove query parameters from API route variables

PR-5.0-dev Pending

User tests: Successful: Unsuccessful:

avatar SniperSister
SniperSister
21 Jun 2023

Summary of Changes

The security issue fixed with 4.2.8 (https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html) was caused by the fact that query parameters have been merged into API route variables. That behavior is neither smart nor necessary and therefore a deprecation notice has been added. This PR removes the merge code.

Testing Instructions

Code Review

avatar joomla-cms-bot joomla-cms-bot - change - 21 Jun 2023
Category Libraries
avatar SniperSister SniperSister - open - 21 Jun 2023
avatar SniperSister SniperSister - change - 21 Jun 2023
Status New Pending
avatar laoneo laoneo - change - 21 Jun 2023
Labels Added: PR-5.0-dev
avatar wilsonge
wilsonge - comment - 21 Jun 2023

We need to test the API Pagination still works. As that's the commit associated with this code being introduced. Obviously I support this removal - but point being we might need to make changes in the api controller to facilitate

avatar HLeithner
HLeithner - comment - 26 Jun 2023

@SniperSister did you tested what george said about pagination?

I'm merging this for now in alpha2 to get earlier feedback but we need documentation in manual.joomla.org please

avatar HLeithner HLeithner - close - 26 Jun 2023
avatar HLeithner HLeithner - merge - 26 Jun 2023
avatar HLeithner HLeithner - change - 26 Jun 2023
Status Pending Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2023-06-26 07:53:51
Closed_By HLeithner
avatar wilsonge
wilsonge - comment - 26 Jun 2023

@laoneo could we get some system test for pagination in webservices? It's going to be a bit time consuming in the tests creating enough articles or whatever but ?‍♂️ i guess that's life

Add a Comment

Login with GitHub to post a comment