feat: Pointed API url to actionTrigger to support non-superuser acces…

…s and lock down API controller
wrav · Sep 15, 2023 · e276264 · e276264
1 parent 6725d2d
commit e276264
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Related Changelog
 
+## 2.1.0 - 2023-09-15
+
+### Updated
+- Pointed API url to actionTrigger to support non-superuser access, thanks @Eviltoastey for the issue #23
+- Locked down API controller to only allow users to access it to prevent data leakage
+
 ## 2.0.1 - 2023-01-11
 
 ### Updated

diff --git a/composer.json b/composer.json
@@ -2,7 +2,7 @@
     "name": "wrav/related",
     "description": "A simple plugin that adds a widget within the Craft CP page sidebar, allowing you to quickly and easily access related entries.",
     "type": "craft-plugin",
-    "version": "2.0.1",
+    "version": "2.1.0",
     "keywords": [
         "craft",
         "cms",

diff --git a/src/assetbundles/related/dist/js/Related.js b/src/assetbundles/related/dist/js/Related.js
@@ -14,7 +14,7 @@ var sectionId = $("input[name='sectionId']").val() || '';
 var categoryId = $("input[name='groupId']").val() || '';
 var userId = $("input[name='userId']").val() || '';
 
-var cpTrigger = Craft && Craft.cpTrigger ? Craft.cpTrigger : 'admin';
+var actionTrigger = Craft && Craft.actionTrigger ? Craft.actionTrigger : 'actions';
 
 // Add Settings element for User page which it's missing
 if (!$("#settings").length) {
@@ -27,7 +27,7 @@ if (!$("#settings").length) {
 if (id != null) {
   $.ajax({
     type: "GET",
-    url: "/"+cpTrigger.toString()+"/related/default?id=" + id + "&sectionId=" + sectionId + "&userId=" + userId + "&categoryId=" + categoryId,
+    url: "/"+actionTrigger.toString()+"/related/default?id=" + id + "&sectionId=" + sectionId + "&userId=" + userId + "&categoryId=" + categoryId,
     async: true
   }).done(function (res) {
     if (res) {

diff --git a/src/controllers/DefaultController.php b/src/controllers/DefaultController.php
@@ -46,7 +46,7 @@ class DefaultController extends Controller
      *         The actions must be in 'kebab-case'
      * @access protected
      */
-    protected array|int|bool $allowAnonymous = ['index', 'do-something'];
+    protected array|int|bool $allowAnonymous = false; // Requires login to prevent data leakage
 
     // Public Methods
     // =========================================================================