From 8453e003fd92c824bd8249d1324b2a27cadb9bc8 Mon Sep 17 00:00:00 2001
From: Sukhwinder Dhillon <sukhwinder33445@gmail.com>
Date: Wed, 3 Jul 2024 16:03:47 +0200
Subject: [PATCH] Contacts|Contactgroups endpoints: Only allow filter on GET
 method

---
 .../controllers/ApiV1ContactgroupsController.php      |  7 ++++++-
 application/controllers/ApiV1ContactsController.php   | 11 ++++++-----
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/application/controllers/ApiV1ContactgroupsController.php b/application/controllers/ApiV1ContactgroupsController.php
index 59f54f8fc..d235bf6f9 100644
--- a/application/controllers/ApiV1ContactgroupsController.php
+++ b/application/controllers/ApiV1ContactgroupsController.php
@@ -60,8 +60,13 @@ public function indexAction(): void
             $this->httpBadRequest('The given identifier is not a valid UUID');
         }
 
+        $filterStr = rawurldecode(Url::fromRequest()->getQueryString());
+        if ($method !== 'GET' && $filterStr) {
+            $this->httpBadRequest('Filter is only allowed for GET requests');
+        }
+
         $filter = FilterProcessor::assembleFilter(
-            QueryString::fromString(rawurldecode(Url::fromRequest()->getQueryString()))
+            QueryString::fromString($filterStr)
                 ->on(
                     QueryString::ON_CONDITION,
                     function (Filter\Condition $condition) {
diff --git a/application/controllers/ApiV1ContactsController.php b/application/controllers/ApiV1ContactsController.php
index d8d78f201..80f902aae 100644
--- a/application/controllers/ApiV1ContactsController.php
+++ b/application/controllers/ApiV1ContactsController.php
@@ -65,8 +65,13 @@ public function indexAction(): void
             $this->httpBadRequest('The given identifier is not a valid UUID');
         }
 
+        $filterStr = rawurldecode(Url::fromRequest()->getQueryString());
+        if ($method !== 'GET' && $filterStr) {
+            $this->httpBadRequest('Filter is only allowed for GET requests');
+        }
+
         $filter = FilterProcessor::assembleFilter(
-            QueryString::fromString(rawurldecode(Url::fromRequest()->getQueryString()))
+            QueryString::fromString($filterStr)
                 ->on(
                     QueryString::ON_CONDITION,
                     function (Filter\Condition $condition) {
@@ -164,10 +169,6 @@ function (Filter\Condition $condition) {
 
                 exit;
             case 'POST':
-                if ($filter !== null) {
-                    $this->httpBadRequest('Cannot filter on POST');
-                }
-
                 $data = $this->getValidatedData();
 
                 $db->beginTransaction();