MokoConsulting/MokoJoomCross
1
0
Fork 0
Code Issues 32 Pull Requests Releases 1 Wiki Activity

Bug: testConnection() broken event dispatch and missing CSRF/ACL #107

New Issue
Closed
opened 2026-06-06 11:50:06 +00:00 by jmiller · 1 comment
jmiller commented 2026-06-06 11:50:06 +00:00
Owner
Copy Link
Copy Source

Audit Findings

Severity: Critical

Problem 1: Broken event dispatch pattern

ServiceController::testConnection() uses old-style [&$servicePlugins] pass-by-reference event dispatch, but all service plugins use Joomla 5+ SubscriberInterface which writes to Event ArrayAccess indices starting at 1. The $servicePlugins array remains empty — testConnection never finds any plugin and always fails.

Problem 2: Missing CSRF and ACL checks

No $this->checkToken() and no authorise() check. Any authenticated backend user can trigger API calls to external services.

Fix:

  1. Use Event ArrayAccess reading pattern (same as QueueProcessor::getServicePluginMap())
  2. Add $this->checkToken() and core.manage ACL check

Files: ServiceController.php

## Audit Findings **Severity:** Critical ### Problem 1: Broken event dispatch pattern `ServiceController::testConnection()` uses old-style `[&$servicePlugins]` pass-by-reference event dispatch, but all service plugins use Joomla 5+ `SubscriberInterface` which writes to Event ArrayAccess indices starting at 1. The `$servicePlugins` array remains empty — **testConnection never finds any plugin and always fails**. ### Problem 2: Missing CSRF and ACL checks No `$this->checkToken()` and no `authorise()` check. Any authenticated backend user can trigger API calls to external services. **Fix:** 1. Use Event ArrayAccess reading pattern (same as `QueueProcessor::getServicePluginMap()`) 2. Add `$this->checkToken()` and `core.manage` ACL check **Files:** `ServiceController.php`
jmiller commented 2026-06-06 11:50:07 +00:00
Author
Owner
Copy Link
Copy Source

Branch created: feature/107-bug-testconnection-broken-event-dispatch

git fetch origin
git checkout feature/107-bug-testconnection-broken-event-dispatch
Branch created: [`feature/107-bug-testconnection-broken-event-dispatch`](https://git.mokoconsulting.tech/MokoConsulting/MokoJoomCross/src/branch/feature/107-bug-testconnection-broken-event-dispatch) ```bash git fetch origin git checkout feature/107-bug-testconnection-broken-event-dispatch ```
Sign in to join this conversation.
Labels
Clear labels
bug
Something is not working
 chore
Maintenance and housekeeping
 documentation
Documentation improvements
 enhancement
Improvement to existing functionality
 feature
New feature or request
 pending: dependency
Blocked by another issue or external dependency
 pending: deployment
Tested and approved, awaiting deployment to production
 pending: design
Needs UI/UX or architecture design before implementation
 pending: documentation
Feature works, needs documentation/wiki update
 pending: feedback
Awaiting feedback or decision from stakeholder
 pending: review
Implementation complete, awaiting code review
 pending: testing
Feature implemented but not yet tested
 refactor
Code restructuring without behavior change
 roadmap
Planned feature or enhancement tracked on the roadmap
 scope: client
Client-specific work
 scope: dolibarr
Dolibarr modules and customizations
 scope: infrastructure
Server, CI, backups, monitoring
 scope: joomla
Joomla templates and extensions
 scope: waas
MokoWaaS platform
 security
Security vulnerability or hardening
No labels
Type
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoJoomCross#107
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?