summaryrefslogtreecommitdiffstats
path: root/application
diff options
context:
space:
mode:
authorFlorian Pritz <bluewind@xinu.at>2020-10-07 14:03:34 +0200
committerFlorian Pritz <bluewind@xinu.at>2020-10-07 14:04:47 +0200
commit3122bc42eb59b005bc5e5036480e1116c0b59a49 (patch)
tree2dc85dee39c634100850b2b263a6ce3aff1dc54c /application
parent4bdbb005a9b214d5355d4f2036d510f898bc8a87 (diff)
API: Only consider public methods as API endpoints
We are not only interested in checking if a method exists here, but really also if it can be called (e.g. if it is public). Private methods should not be considered as potential API endpoints. Before this, private methods could be called, leading to a 500 error due to a call to the private method. Signed-off-by: Florian Pritz <bluewind@xinu.at>
Diffstat (limited to 'application')
-rw-r--r--application/controllers/Api.php2
1 files changed, 1 insertions, 1 deletions
diff --git a/application/controllers/Api.php b/application/controllers/Api.php
index 4f32ad427..b41f090dd 100644
--- a/application/controllers/Api.php
+++ b/application/controllers/Api.php
@@ -52,7 +52,7 @@ class Api extends MY_Controller {
}
$c= new $class;
- if (!method_exists($c, $function)) {
+ if (!method_exists($c, $function) || !is_callable([$c, $function])) {
throw new \exceptions\UserInputException("api/unknown-endpoint", "Unknown endpoint requested");
}
return $this->send_json_reply($c->$function());