From e2762642450c8f2bc04c2ac0ae169c18cd85ef3c Mon Sep 17 00:00:00 2001
From: reganlawton <reganlawton92@gmail.com>
Date: Fri, 15 Sep 2023 12:29:41 +1000
Subject: [PATCH] feat: Pointed API url to actionTrigger to support
 non-superuser access and lock down API controller

---
 CHANGELOG.md                                | 6 ++++++
 composer.json                               | 2 +-
 src/assetbundles/related/dist/js/Related.js | 4 ++--
 src/controllers/DefaultController.php       | 2 +-
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4c668af..ea865d8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Related Changelog
 
+## 2.1.0 - 2023-09-15
+
+### Updated
+- Pointed API url to actionTrigger to support non-superuser access, thanks @Eviltoastey for the issue #23
+- Locked down API controller to only allow users to access it to prevent data leakage
+
 ## 2.0.1 - 2023-01-11
 
 ### Updated
diff --git a/composer.json b/composer.json
index 233b297..bd5f4eb 100644
--- a/composer.json
+++ b/composer.json
@@ -2,7 +2,7 @@
     "name": "wrav/related",
     "description": "A simple plugin that adds a widget within the Craft CP page sidebar, allowing you to quickly and easily access related entries.",
     "type": "craft-plugin",
-    "version": "2.0.1",
+    "version": "2.1.0",
     "keywords": [
         "craft",
         "cms",
diff --git a/src/assetbundles/related/dist/js/Related.js b/src/assetbundles/related/dist/js/Related.js
index 1f340fe..6ad377a 100644
--- a/src/assetbundles/related/dist/js/Related.js
+++ b/src/assetbundles/related/dist/js/Related.js
@@ -14,7 +14,7 @@ var sectionId = $("input[name='sectionId']").val() || '';
 var categoryId = $("input[name='groupId']").val() || '';
 var userId = $("input[name='userId']").val() || '';
 
-var cpTrigger = Craft && Craft.cpTrigger ? Craft.cpTrigger : 'admin';
+var actionTrigger = Craft && Craft.actionTrigger ? Craft.actionTrigger : 'actions';
 
 // Add Settings element for User page which it's missing
 if (!$("#settings").length) {
@@ -27,7 +27,7 @@ if (!$("#settings").length) {
 if (id != null) {
   $.ajax({
     type: "GET",
-    url: "/"+cpTrigger.toString()+"/related/default?id=" + id + "&sectionId=" + sectionId + "&userId=" + userId + "&categoryId=" + categoryId,
+    url: "/"+actionTrigger.toString()+"/related/default?id=" + id + "&sectionId=" + sectionId + "&userId=" + userId + "&categoryId=" + categoryId,
     async: true
   }).done(function (res) {
     if (res) {
diff --git a/src/controllers/DefaultController.php b/src/controllers/DefaultController.php
index 0247fae..8426112 100644
--- a/src/controllers/DefaultController.php
+++ b/src/controllers/DefaultController.php
@@ -46,7 +46,7 @@ class DefaultController extends Controller
      *         The actions must be in 'kebab-case'
      * @access protected
      */
-    protected array|int|bool $allowAnonymous = ['index', 'do-something'];
+    protected array|int|bool $allowAnonymous = false; // Requires login to prevent data leakage
 
     // Public Methods
     // =========================================================================