fix: 🔒️ Avoid event fetch by ID, force UUID #242
Tim Izzo tim@octree.ch
Fri, 11 Feb 2022 15:34:50 +0100
1 files changed,
1 insertions(+),
0 deletions(-)
M
backend/api/event/controllers/event.js
→
backend/api/event/controllers/event.js
@@ -3,6 +3,7 @@
module.exports = { async findOne(ctx) { const uuid = ctx.params._uuid || ctx.params.uuid; + if (!uuid) throw new Error('No uuid provided'); const event = await strapi.services.event.findOne({uuid}); if (event) return strapi.services.event.sanitize(event); else return ctx.badRequest('No event found');