Fixed REST API: alerts/{id}/mark and alerts/mark-all checks incorrect scope

Jake B. · Apr 2, 2021

The endpoints for marking alerts read (both individual, and all) try to use alert:read:write scope which is inalid

PHP:

protected function preDispatchController($action, ParameterBag $params)
{
   if (strtolower($action) == 'postmark')
   {
      $this->assertApiScopeByRequestMethod('alert:read');
   }
   else
   {
      $this->assertApiScopeByRequestMethod('alert');
   }

   $this->assertRegisteredUser();
}

and

PHP:

protected function preDispatchController($action, ParameterBag $params)
{
   if (strtolower($action) == 'postmarkall')
   {
      $this->assertApiScopeByRequestMethod('alert:read');
   }
   else
   {
      $this->assertApiScopeByRequestMethod('alert');
   }

   $this->assertRegisteredUser();
}

Should be:

PHP:

protected function preDispatchController($action, ParameterBag $params)
{
   if (strtolower($action) == 'postmark')
   {
      $this->assertApiScope('alert:read');
   }
   else
   {
      $this->assertApiScopeByRequestMethod('alert');
   }

   $this->assertRegisteredUser();
}

and

PHP:

protected function preDispatchController($action, ParameterBag $params)
{
   if (strtolower($action) == 'postmarkall')
   {
      $this->assertApiScope('alert:read');
   }
   else
   {
      $this->assertApiScopeByRequestMethod('alert');
   }

   $this->assertRegisteredUser();
}

XF Bug Bot · Apr 15, 2021

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.5).

Change log:

Check the correct scope when marking alerts as read via the API.

There may be a delay before changes are rolled out to the XenForo Community.

Fixed REST API: alerts/{id}/mark and alerts/mark-all checks incorrect scope

Jake B.

Well-known member

XF Bug Bot

XenForo bug fixer bot

Similar threads

We value your privacy