Fixed By using API, You can create resource categories which has invalid parents, then they become ghost categories

Affected version
2.1.5

Earl

Active member
Summary:
By making an API (superuser key with resource_category:write scope enabled) request, you can create resource categories which has invalid parent IDs.
Then they become invisible in resource categories page in the admin panel and resource index.

Steps to reproduce:
  1. Create category:write scope enabled Superuser API Key.
  2. Open the terminal and type this command:
    Bash:
    curl -d "title=test&parent_category_id=9999" -H "XF-Api-Key: 1UKWxVJF1FCiMwQbcn1nimsCvd6J" -H "XF-Api-User: 1" -H "Content-Type: application/x-www-form-urlencoded" -X POST -L https://xenforo.com/community/index.php\?api/resource-categories
    (Don't forget to replace the correct API key)

Expected results:
It should show an error exception: "The parent category is not found" or something like that.


Actual results:
It gives this success JSON respond
JSON:
{
    "success": true,
    "category": {
        "allow_commercial_external": true,
        "allow_external": true,
        "allow_fileless": true,
        "allow_local": true,
        "can_add": false,
        "can_upload_images": false,
        "custom_fields": [],
        "description": "",
        "display_order": 1,
        "enable_support_url": true,
        "enable_versioning": true,
        "last_resource_id": 0,
        "last_resource_title": "",
        "last_update": 0,
        "min_tags": 0,
        "parent_category_id": 8,
        "prefixes": [],
        "resource_category_id": 15,
        "resource_count": 0,
        "title": "test"
    }
}
You can't see this category in admin panel (https://xenforo.com/community/admin.php?resource-manager/categories/)
Then again, you can edit or delete this ghost category by navigating to this page:

"https://xenforo.com/community/admin.php?resource-manager/categories/test.15/edit"

(Note: the category ID number in that url is the number I got from JSON response "resource_category_id": 15, )
 

XF Bug Bot

XenForo bug fixer bot
Staff member
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.1.8).

Change log:
Validate parent IDs correctly when inserting tree structured data.
There may be a delay before changes are rolled out to the XenForo Community.
 

Mike

XenForo developer
Staff member
Worth making it clear that this is fixed in core code that the RM and MG both use and this should fix the issue for both of them (and any other add-ons that might use the "tree structured" behavior).
 
Top