AI meta-generation AJAX endpoint lacks ACL check and HTTP error handling #99

New Issue

2026-06-29T14:19:19Z

jmiller commented

2026-06-29 14:19:19 +00:00

Problem

MokoOG::onAjaxMokoog() (plg_system_mokoog/src/Extension/MokoOG.php:848-941) gates on isClient('administrator') + Session::checkToken() + ai_enabled, but performs no authorise() capability check. Any authenticated back-end user — including low-privilege ones — can trigger outbound paid AI API calls and burn credits.

Secondary issues in `callAiApi()` (lines 901-941)

No HTTP status check — $response->code is never inspected; a 4xx/5xx body is json_decode'd and trim(... ?? '') returns '', so auth/rate-limit/quota failures surface as a silent blank result with no diagnostic.
No timeout on HttpFactory::getHttp() — a hung provider blocks the admin request indefinitely.

Fix

Add $user->authorise('core.edit', 'com_content') (or a dedicated mokoog.ai action — see access.xml issue #95) before generating.
Check $response->code and surface a meaningful error / log non-200 responses.
Pass a timeout to the HTTP client.

Severity

Security / cost-control (credit abuse) + reliability.

## Problem `MokoOG::onAjaxMokoog()` (`plg_system_mokoog/src/Extension/MokoOG.php:848-941`) gates on `isClient('administrator')` + `Session::checkToken()` + `ai_enabled`, but performs **no `authorise()` capability check**. Any authenticated back-end user — including low-privilege ones — can trigger outbound **paid** AI API calls and burn credits. ### Secondary issues in `callAiApi()` (lines 901-941) - **No HTTP status check** — `$response->code` is never inspected; a 4xx/5xx body is `json_decode`'d and `trim(... ?? '')` returns `''`, so auth/rate-limit/quota failures surface as a silent blank result with no diagnostic. - **No timeout** on `HttpFactory::getHttp()` — a hung provider blocks the admin request indefinitely. ## Fix - Add `$user->authorise('core.edit', 'com_content')` (or a dedicated `mokoog.ai` action — see access.xml issue #95) before generating. - Check `$response->code` and surface a meaningful error / log non-200 responses. - Pass a timeout to the HTTP client. ## Severity Security / cost-control (credit abuse) + reliability.

jmiller added the security production-readiness labels 2026-06-29 14:19:19 +00:00

jmiller commented

2026-06-29 14:19:22 +00:00

Branch created: feature/99-ai-meta-generation-ajax-endpoint-lacks-a

git fetch origin
git checkout feature/99-ai-meta-generation-ajax-endpoint-lacks-a

Branch created: [`feature/99-ai-meta-generation-ajax-endpoint-lacks-a`](https://git.mokoconsulting.tech/MokoConsulting/MokoSuiteOpenGraph/src/branch/feature/99-ai-meta-generation-ajax-endpoint-lacks-a) ```bash git fetch origin git checkout feature/99-ai-meta-generation-ajax-endpoint-lacks-a ```

jmiller referenced this issue from a commit

2026-06-29 14:52:58 +00:00

fix: security & correctness batch (#99, #100, #101, #102, #106)

jmiller referenced a pull request that will close this issue

2026-06-29 14:53:22 +00:00

fix: security & correctness batch — AI ACL, sitemap disclosure, API/CSV columns, forward-compat (#99 #100 #101 #102 #106) #109

jmiller closed this issue

2026-06-29 14:53:43 +00:00

jmiller referenced this issue from a commit

2026-06-29 14:53:44 +00:00

Merge pull request 'fix: security & correctness batch — AI ACL, sitemap disclosure, API/CSV columns, forward-compat (#99 #100 #101 #102 #106)' (#109) from fix/security-correctness-batch into dev

jmiller commented

2026-06-29 14:54:02 +00:00

Fixed in PR #109 (merged to dev). onAjaxMokoog now requires core.edit/core.create on com_content before generating; callAiApi enforces a 20s timeout and throws on non-200 HTTP status instead of returning a silent empty string. Closing.

Fixed in PR #109 (merged to `dev`). `onAjaxMokoog` now requires `core.edit`/`core.create` on `com_content` before generating; `callAiApi` enforces a 20s timeout and throws on non-200 HTTP status instead of returning a silent empty string. Closing.

jmiller referenced this issue

2026-06-29 16:00:44 +00:00

docs: CHANGELOG + README for the current development cycle #114

jmiller referenced this issue

2026-06-29 16:26:51 +00:00

Release: promote dev → main (dashboard, edit UI, ACL, security & forward-compat) #115

Sign in to join this conversation.