Fixed REST API: alerts/{id}/mark and alerts/mark-all checks incorrect scope

Affected version
2.2.4

Jake B.

Well-known member
The endpoints for marking alerts read (both individual, and all) try to use alert:read:write scope which is inalid

PHP:
protected function preDispatchController($action, ParameterBag $params)
{
   if (strtolower($action) == 'postmark')
   {
      $this->assertApiScopeByRequestMethod('alert:read');
   }
   else
   {
      $this->assertApiScopeByRequestMethod('alert');
   }

   $this->assertRegisteredUser();
}

and

PHP:
protected function preDispatchController($action, ParameterBag $params)
{
   if (strtolower($action) == 'postmarkall')
   {
      $this->assertApiScopeByRequestMethod('alert:read');
   }
   else
   {
      $this->assertApiScopeByRequestMethod('alert');
   }

   $this->assertRegisteredUser();
}

Should be:

PHP:
protected function preDispatchController($action, ParameterBag $params)
{
   if (strtolower($action) == 'postmark')
   {
      $this->assertApiScope('alert:read');
   }
   else
   {
      $this->assertApiScopeByRequestMethod('alert');
   }

   $this->assertRegisteredUser();
}

and

PHP:
protected function preDispatchController($action, ParameterBag $params)
{
   if (strtolower($action) == 'postmarkall')
   {
      $this->assertApiScope('alert:read');
   }
   else
   {
      $this->assertApiScopeByRequestMethod('alert');
   }

   $this->assertRegisteredUser();
}
 

XF Bug Bot

XenForo bug fixer bot
Staff member
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.5).

Change log:
Check the correct scope when marking alerts as read via the API.
There may be a delay before changes are rolled out to the XenForo Community.
 
Top