Fixed By using API, You can create resource categories which has invalid parents, then they become ghost categories

Earl

Well-known member
Affected version
2.1.5
Summary:
By making an API (superuser key with resource_category:write scope enabled) request, you can create resource categories which has invalid parent IDs.
Then they become invisible in resource categories page in the admin panel and resource index.

Steps to reproduce:
  1. Create category:write scope enabled Superuser API Key.
  2. Open the terminal and type this command:
    Bash:
    curl -d "title=test&parent_category_id=9999" -H "XF-Api-Key: 1UKWxVJF1FCiMwQbcn1nimsCvd6J" -H "XF-Api-User: 1" -H "Content-Type: application/x-www-form-urlencoded" -X POST -L https://xenforo.com/community/index.php\?api/resource-categories
    (Don't forget to replace the correct API key)

Expected results:
It should show an error exception: "The parent category is not found" or something like that.


Actual results:
It gives this success JSON respond
JSON:
{
    "success": true,
    "category": {
        "allow_commercial_external": true,
        "allow_external": true,
        "allow_fileless": true,
        "allow_local": true,
        "can_add": false,
        "can_upload_images": false,
        "custom_fields": [],
        "description": "",
        "display_order": 1,
        "enable_support_url": true,
        "enable_versioning": true,
        "last_resource_id": 0,
        "last_resource_title": "",
        "last_update": 0,
        "min_tags": 0,
        "parent_category_id": 8,
        "prefixes": [],
        "resource_category_id": 15,
        "resource_count": 0,
        "title": "test"
    }
}
You can't see this category in admin panel (https://xenforo.com/community/admin.php?resource-manager/categories/)
Then again, you can edit or delete this ghost category by navigating to this page:

"https://xenforo.com/community/admin.php?resource-manager/categories/test.15/edit"

(Note: the category ID number in that url is the number I got from JSON response "resource_category_id": 15, )
 
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.1.8).

Change log:
Validate parent IDs correctly when inserting tree structured data.
There may be a delay before changes are rolled out to the XenForo Community.
 
Worth making it clear that this is fixed in core code that the RM and MG both use and this should fix the issue for both of them (and any other add-ons that might use the "tree structured" behavior).
 
Top Bottom