From 40d5155d07a89e3962bc0f7b35729de759b879fe Mon Sep 17 00:00:00 2001 From: xlecours Date: Tue, 4 Jul 2023 11:20:59 -0400 Subject: [PATCH 1/2] using isAccesibleBy on candidate endpoint --- modules/api/php/endpoints/candidates.class.inc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/api/php/endpoints/candidates.class.inc b/modules/api/php/endpoints/candidates.class.inc index ed56e9a7242..1820a90d8ed 100644 --- a/modules/api/php/endpoints/candidates.class.inc +++ b/modules/api/php/endpoints/candidates.class.inc @@ -150,6 +150,11 @@ class Candidates extends Endpoint implements \LORIS\Middleware\ETagCalculator $candidate = \NDB_Factory::singleton()->candidate($candID); + if (!$candidate->isAccessibleBy($user)) { + // Return not found instead of forbidden to hide this candid existance. + return new \LORIS\Http\Response\JSON\NotFound('Candidate not found'); + } + $endpoint = new Candidate\Candidate($candidate); $pathparts = array_slice($pathparts, 2); From f09f44866ec166e2e1a72054fcfb350c4ae504dc Mon Sep 17 00:00:00 2001 From: xlecours Date: Tue, 4 Jul 2023 13:38:31 -0400 Subject: [PATCH 2/2] forbidden is expected in subendpoints --- modules/api/php/endpoints/candidates.class.inc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/api/php/endpoints/candidates.class.inc b/modules/api/php/endpoints/candidates.class.inc index 1820a90d8ed..0cf6904debb 100644 --- a/modules/api/php/endpoints/candidates.class.inc +++ b/modules/api/php/endpoints/candidates.class.inc @@ -151,8 +151,7 @@ class Candidates extends Endpoint implements \LORIS\Middleware\ETagCalculator $candidate = \NDB_Factory::singleton()->candidate($candID); if (!$candidate->isAccessibleBy($user)) { - // Return not found instead of forbidden to hide this candid existance. - return new \LORIS\Http\Response\JSON\NotFound('Candidate not found'); + return new \LORIS\Http\Response\JSON\Forbidden(); } $endpoint = new Candidate\Candidate($candidate);