diff options
| author | Florian Pritz <bluewind@xinu.at> | 2020-10-07 14:03:34 +0200 |
|---|---|---|
| committer | Florian Pritz <bluewind@xinu.at> | 2020-10-07 14:04:47 +0200 |
| commit | 3122bc42eb59b005bc5e5036480e1116c0b59a49 (patch) | |
| tree | 2dc85dee39c634100850b2b263a6ce3aff1dc54c | |
| parent | 4bdbb005a9b214d5355d4f2036d510f898bc8a87 (diff) | |
API: Only consider public methods as API endpoints
We are not only interested in checking if a method exists here, but
really also if it can be called (e.g. if it is public). Private methods
should not be considered as potential API endpoints. Before this,
private methods could be called, leading to a 500 error due to a call to
the private method.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
| -rw-r--r-- | application/controllers/Api.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/application/controllers/Api.php b/application/controllers/Api.php index 4f32ad427..b41f090dd 100644 --- a/application/controllers/Api.php +++ b/application/controllers/Api.php @@ -52,7 +52,7 @@ class Api extends MY_Controller { } $c= new $class; - if (!method_exists($c, $function)) { + if (!method_exists($c, $function) || !is_callable([$c, $function])) { throw new \exceptions\UserInputException("api/unknown-endpoint", "Unknown endpoint requested"); } return $this->send_json_reply($c->$function()); |