[5.4] API users/levels: Validate group IDs in PATCH/POST requests#47455
[5.4] API users/levels: Validate group IDs in PATCH/POST requests#47455adarshdubey03 wants to merge 4 commits intojoomla:5.4-devfrom
Conversation
|
@adarshdubey03 Please check the result of the CI check actions on GitHub. Code style checks are failing, and system tests are failing, too. |
|
Hello @richard67 i implemented validation for the rules field following the documentation for the error handling https://manual.joomla.org/migrations/54-60/errorhandling/. instead of deprecated $this->setError(), i implemented the documented based approach and that produces the correct API responses, but CI fails because of PHPStan |
Maybe @Hackwar can advise if you should add exclusions to the phpstan baseline file (I could help with that if that’s the way to go) or if you should change error handling of your code. |
3 participants
Pull Request resolves #46832 .
Summary of Changes
Validates the rules field in the Users Access Levels API to ensure only existing user group IDs are accepted. Previously, invalid values were silently stored
Testing Instructions
follow #46832
Actual result BEFORE applying this Pull Request
Invalid values were accepted and written to the database, for eg invalid { "rules": [99999] } gets 200 ok
{
"links": {
"self": "http://localhost/joomla-cms/api/index.php/v1/users/levels/7"
},
"data": {
"type": "levels",
"id": "7",
"attributes": {
"id": 7,
"title": "API Test Level",
"rules": [
99999
]
}
}
}
Expected result AFTER applying this Pull Request
Invalid input is rejected with a validation error and only valid existing group ids are accepted, and the database remains consistent, for eg invalid invalid { "rules": [99999] } gets 400 bad request,
{
"errors": [
{
"title": "Invalid Group"
}
]
}
Link to documentations
Please select:
Documentation link for guide.joomla.org:
No documentation changes for guide.joomla.org needed
Pull Request link for manual.joomla.org:
No documentation changes for manual.joomla.org needed