#99 — AI AJAX endpoint hardening:
- require core.edit/core.create on com_content before generating (was
reachable by any authenticated back-end user → paid-credit abuse)
- callAiApi: 20s timeout + HTTP status check (throw on non-200) instead of
silently returning an empty string
#100 — Sitemap information disclosure + robustness:
- filter to public (guest) view levels so registered/special-access
articles are never written into the public sitemap
- atomic write (temp file + rename) so concurrent saves can't expose a
half-written sitemap.xml
- (throttling + SEF URLs remain follow-ups, noted on the issue)
#101 — Expose newer columns in CSV + API:
- og_video, event_data, recipe_data, custom_schema added to CSV export/import
(appended, so existing CSVs still import) and to the REST API field whitelist
- import validates JSON fields as arrays/objects and og_video as http(s)
(prevents re-introducing the #97 scalar-JSON-LD crash via import)
#102 — Forward-compat (complete):
- Factory::getLanguage() -> getApplication()->getLanguage() (4 sites)
- Joomla\CMS\Filesystem\File/Folder -> Joomla\Filesystem\* (ImageHelper, ImageGenerator)
#106 — partial: loadArticle() now caches null misses (array_key_exists),
getArticleDate() skips 0000-00-00 dates. Batch-JS halt deferred — the
offset=0 design re-fetches failed rows, so the created>0 guard prevents an
infinite loop; a safe fix needs cursor-based pagination in BatchController.
Removes accessors deprecated in Joomla 5 and slated for removal in 7
(extension already runs on 6; this future-proofs for 7):
- Factory::getDbo() -> Factory::getContainer()->get(DatabaseInterface::class)
across plugins, controllers, static helpers, and the install script
- Factory::getUser() -> Factory::getApplication()->getIdentity()
- Factory::getSession() -> Factory::getApplication()->getSession()
- jexit(Text::_('JINVALID_TOKEN')) -> throw new \RuntimeException(..., 403),
consistent with the access-denied checks already in those controllers
Note: SQL update-version concern is already resolved — the release bumped
to 01.05.00, which matches the 01.05.00.sql update slot.
Product rename (display name / docs / comments / language strings only —
technical element names mokoog/com_mokoog/MokoOG namespace unchanged):
- Replace "MokoJoom" -> "MokoSuite" across 55 files
- Fixes the update-site license lookup in script.php, which matched the
old "%MokoJoomOpenGraph%" name and would never find a "MokoSuite" site
Joomla 6 compatibility:
- script.php: minimumJoomla 4.0.0 -> 6.0.0, minimumPhp 8.1.0 -> 8.2.0,
and actually enforce the Joomla floor in preflight() (was PHP-only)
- Add PKG_MOKOOG_JOOMLA_VERSION_ERROR language strings (en-GB, en-US)
- openapi.yaml + README state Joomla 6.0+ requirement
- Audit confirmed the codebase already uses only Joomla-6-supported APIs
- Rename project source directory from src/ to source/
- Update CI workflows (ci-joomla, pr-check, repo-health) to check
source/ first, falling back to src/ and htdocs/ for compat
- Update .gitignore vendor exception path
- manifest.xml entry-point already updated
Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>