[#46832] - API webservices: PATCH/POST users/levels does not check group IDs
- New
- Medium
- Build: 5.4-dev
- # 46832
PATCH/POST users/levels doesn't check group IDs. Argument is unchecked written to database and can cause exceptions in backend afterwards. Validate that all group IDs are numeric and refer to existing groups; fail otherwise.
Steps to reproduce the issue
- Get Super User's API Token and set as environment variable
- False set by group name
curl -k -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -w "\nHTTP status: %{http_code}\n" -X PATCH 'https://localhost:7154/api/index.php/v1/users/levels/1' -d '{ "rules": [ "Public" ] }' - Missing array
curl -k -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -w "\nHTTP status: %{http_code}\n" -X PATCH 'https://localhost:7154/api/index.php/v1/users/levels/1' -d '{ "rules": 1 }' - Not-existing group IDs
curl -k -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -w "\nHTTP status: %{http_code}\n" -X PATCH 'https://localhost:7154/api/index.php/v1/users/levels/1' -d '{ "rules": [ 42 ] }' - Same 1. ... 3. for POST request, e.g.
curl -kH "Authorization: Bearer $TOKEN" -w "\nHTTP status: %{http_code}\n" -X POST 'https://localhost:7154/api/index.php/v1/users/levels' -d '{ "title": "Test2", "rules": [ 4711 ] }'
Expected result
- Error is returned e.g. 422 Unprocessable Entity with e.g. "Invalid group IDs"
- It is working, the group ID is transformed to array, as before #46080 OR Error is returned e.g. 422 Unprocessable Entity with e.g. "Array missing"
- Error is returned e.g. 422 Unprocessable Entity with e.g. "Invalid group IDs"
- Error is returned e.g. 422 Unprocessable Entity with e.g. "Invalid group IDs"
Actual result
- 200 OK is returned, administrator > Users > Access Levels > User Groups With Viewing Access > no group set
- 200 OK is returned, administrator > Users > Exception in_array(): Argument #2 ($haystack) must be of type array, int given
- 200 OK is returned, administrator > Users > Access Levels > User Groups With Viewing Access > no group set
- 200 OK is returned, administrator > Users > Access Levels > User Groups With Viewing Access > no group set
System information (as much as possible)
Tested with 5.4-dev branch.
Additional comments
Found in testing #46080. This may be a minor priority.
joomla-cms-bot
- | Labels |
Added:
No Code Attached Yet
|
||
richard67
- | Labels |
Added:
bug
Webservices
|
||
Hi @muhme, I have been working on this issue and wanted to confirm the intended behavior.
After adding validation in LevelModel, invalid or non existent group IDs are correctly rejected, amd the backend exception described here no longer occurs. but, non-array inputs for rules still behave inconsistently because the field uses filter="intarray", which seems to normalize input before model validation.
Should the Web Services API strictly require rules to be an array and reject any non-array input (as you suggested in the “Missing array” case), or is this coercion via intarray considered acceptable behavior?
Also, are the 500 responses for certain invalid inputs something that should be addressed as part of this issue?
Hi @adarshdubey03, I viewed the API only from external as black box. Perhaps @alikon can explain how the API should work overall.
Regarding the 500 responses, it’s better to handle them in separate PRs rather than mixing too many changes together. Only include them in the same PR if they are directly related to the other changes.
Thanks a lot for working on this issue! I’m looking forward to testing your PR.
Hello mentainers,
I'm Dhanashri Jadhav, a GSOC aspirant.
Eager to contribute to GSoC projects & actively participate in Joomla.
Looking forward to collaborating & learing from all of you.
Thank you!