Commit 66f7a3d
Security: Remove exposed validation-token test endpoint
`ValidationTokenController::testGenerateToken()` exposed a route that minted a
valid `ValidationToken` for any resource id with no authorization check, so any
caller could forge tokens and drive the privileged validation actions they gate
(e.g. unsubscribing arbitrary users from tickets).
The method was a test-only helper, referenced nowhere and pointing at a route
name that no longer exists, so it is removed entirely along with its now-unused
`UrlGeneratorInterface` import. Token issuance remains confined to the
authorized `ValidationTokenHelper` flow.
Refs GHSA-9g35-w847-rpp8
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent 00eb082 commit 66f7a3d
1 file changed
Lines changed: 0 additions & 16 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
19 | 19 | | |
20 | 20 | | |
21 | 21 | | |
22 | | - | |
23 | 22 | | |
24 | 23 | | |
25 | 24 | | |
| |||
71 | 70 | | |
72 | 71 | | |
73 | 72 | | |
74 | | - | |
75 | | - | |
76 | | - | |
77 | | - | |
78 | | - | |
79 | | - | |
80 | | - | |
81 | | - | |
82 | | - | |
83 | | - | |
84 | | - | |
85 | | - | |
86 | | - | |
87 | | - | |
88 | | - | |
89 | 73 | | |
90 | 74 | | |
91 | 75 | | |
| |||
0 commit comments