apostrophe 4.14.1 → 4.14.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +8 -0
- package/modules/@apostrophecms/doc-type/index.js +10 -0
- package/package.json +1 -1
- package/test/pieces.js +4 -4
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## UNRELEASED
|
|
4
|
+
|
|
5
|
+
## 4.14.2 (2025-04-02)
|
|
6
|
+
|
|
7
|
+
### Fixes
|
|
8
|
+
|
|
9
|
+
* Hotfix: the `choices` query parameter of the REST API no longer results in a 500 error if an invalid filter name is part of the list. Such filters are now properly ignored in `choices`. This issue could also have resulted in invocation of query methods that are not builders, however since all such methods are read-only operations, no arguments could be passed and no information was returned, there are no security implications.
|
|
10
|
+
|
|
3
11
|
## 4.14.1 (2025-03-31)
|
|
4
12
|
|
|
5
13
|
### Fixes
|
|
@@ -2482,6 +2482,16 @@ module.exports = {
|
|
|
2482
2482
|
// except this one (filtering by topic pares down the list of categories and
|
|
2483
2483
|
// vice versa)
|
|
2484
2484
|
const _query = baseQuery.clone();
|
|
2485
|
+
// Make sure this is a legitimate builder before attempting to shut it off
|
|
2486
|
+
if (!_.has(query.builders, filter)) {
|
|
2487
|
+
continue;
|
|
2488
|
+
}
|
|
2489
|
+
// Make sure it would ever be accepted via a query parameter before attempting
|
|
2490
|
+
// to shut it off
|
|
2491
|
+
if (!query.builders[filter].launder) {
|
|
2492
|
+
continue;
|
|
2493
|
+
}
|
|
2494
|
+
// Now shut it off
|
|
2485
2495
|
_query[filter](null);
|
|
2486
2496
|
choices[filter] = await _query.toChoices(filter, { counts: query.get('counts') });
|
|
2487
2497
|
}
|
package/package.json
CHANGED
package/test/pieces.js
CHANGED
|
@@ -1161,8 +1161,8 @@ describe('Pieces', function() {
|
|
|
1161
1161
|
assert(response._products[0]._id === draftRelatedProductId);
|
|
1162
1162
|
});
|
|
1163
1163
|
|
|
1164
|
-
it('can GET results plus filter choices', async function() {
|
|
1165
|
-
const response = await apos.http.get('/api/v1/product?choices=title,visibility,_articles,articles', {
|
|
1164
|
+
it('can GET results plus filter choices and ignore bogus filter names in choices', async function() {
|
|
1165
|
+
const response = await apos.http.get('/api/v1/product?choices=title,visibility,_articles,articles,bogus', {
|
|
1166
1166
|
jar
|
|
1167
1167
|
});
|
|
1168
1168
|
assert(response);
|
|
@@ -1182,8 +1182,8 @@ describe('Pieces', function() {
|
|
|
1182
1182
|
assert(response.choices.articles[0].value === 'first-article');
|
|
1183
1183
|
});
|
|
1184
1184
|
|
|
1185
|
-
it('can GET results plus filter counts', async function() {
|
|
1186
|
-
const response = await apos.http.get('/api/v1/product?_edit=1&counts=title,visibility,_articles,articles', {
|
|
1185
|
+
it('can GET results plus filter counts, ignoring bogus filter names', async function() {
|
|
1186
|
+
const response = await apos.http.get('/api/v1/product?_edit=1&counts=title,visibility,_articles,articles,bogus', {
|
|
1187
1187
|
jar
|
|
1188
1188
|
});
|
|
1189
1189
|
assert(response);
|