By using API, You can create resource categories which has invalid parents, then they become ghost categories

Affected version


Active member
By making an API (superuser key with resource_category:write scope enabled) request, you can create resource categories which has invalid parent IDs.
Then they become invisible in resource categories page in the admin panel and resource index.

Steps to reproduce:
  1. Create category:write scope enabled Superuser API Key.
  2. Open the terminal and type this command:
    curl -d "title=test&parent_category_id=9999" -H "XF-Api-Key: 1UKWxVJF1FCiMwQbcn1nimsCvd6J" -H "XF-Api-User: 1" -H "Content-Type: application/x-www-form-urlencoded" -X POST -L\?api/resource-categories
    (Don't forget to replace the correct API key)

Expected results:
It should show an error exception: "The parent category is not found" or something like that.

Actual results:
It gives this success JSON respond
    "success": true,
    "category": {
        "allow_commercial_external": true,
        "allow_external": true,
        "allow_fileless": true,
        "allow_local": true,
        "can_add": false,
        "can_upload_images": false,
        "custom_fields": [],
        "description": "",
        "display_order": 1,
        "enable_support_url": true,
        "enable_versioning": true,
        "last_resource_id": 0,
        "last_resource_title": "",
        "last_update": 0,
        "min_tags": 0,
        "parent_category_id": 8,
        "prefixes": [],
        "resource_category_id": 15,
        "resource_count": 0,
        "title": "test"
You can't see this category in admin panel (
Then again, you can edit or delete this ghost category by navigating to this page:


(Note: the category ID number in that url is the number I got from JSON response "resource_category_id": 15, )