Conversation
The password reset link included &admin=1 for system administrators, disclosing admin status in emails, browser history, and URL logs. The frontend can determine admin status after reset via session info.
Security: SSRF validation on import_url endpoints
Unscoped GET /api/v2/system/event loads every active service and calls getEventMap() on each, enumerating tables/procedures/functions for DB services. On customer instances with many services this takes seconds and the event-script create form hangs waiting. Add a services_only=true query param that short-circuits to return just the list of active, access-allowed service names via cached ServiceManager::getServiceNames(true). Pairs with the admin UI change that cascades service-select -> scoped event fetch. Existing paths (bare, ?service=, ?as_list=) are unchanged.
6 tasks
…ertions, stronger passwords) - SystemServiceTest: explicitly authenticate as sysadmin in setUp so the list/get tests still pass once RBAC filtering is enforced. Replace position-based asserts (`services.0.name == 'system'`) with `assertContains` so additional services in the DB don't flake the test. - AdminResourceTest: don't assert fixed admin counts — snapshot the count before the mutation and compare deltas. Match user rows by the `name` field instead of array index. Upgrade hardcoded passwords to ones that satisfy the new strength policy so the security fixes in df-core and df-user don't cascade-break these tests. - UserResourceTestCase: matching password upgrade for shared fixture.
…rdening test: harden system tests (admin auth, order-independent asserts, stronger passwords)
thekevinm
approved these changes
Apr 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Release sync of
developintomaster. Headline change: a fast path on the/api/v2/system/eventresource that fixes the long-standing "spinning cog" hang when opening the Event Script create form in the admin UI.perf:
services_only=trueon/api/v2/system/eventProblem. Unscoped
GET /system/eventloops over every active service and calls$service->getEventMap(), which for DB-type services walks tables/procedures/functions. On customer instances with many services (Triskele: ~11+), the admin UI's event-script create form would sit on a loading spinner waiting for this payload to come back.Change. Added an optional
services_only=truequery param that returns just the list of active, access-allowed service names via the already-cachedServiceManager::getServiceNames(true). Skips the per-servicegetService()/getEventMap()pass entirely.Measured on an 8-service dev instance:
?services_only=trueOn instances with many DB services the old path is seconds, not milliseconds — this is the 10–20x-plus reduction that kills the hanging-form symptom.
Backward compatible. Bare,
?service=<name>, and?as_list=truepaths are byte-identical to before. Only a new optional param was added (and documented in the OpenAPI paths).Pairs with the matching df-admin-interface PR that switches the event-script form resolver to use
services_only=true, then fetches the scoped event map on service selection.Also in this batch (already merged to develop via prior PRs)
import_urlendpoints (Package, Import, App)Test plan
?services_only=truereturns only service names (~80 bytes) in ~30 ms.?service=<name>&scriptable=truestill returns the scoped event map unchanged.?scriptable=truecall still returns the full cross-service event map (no contract change).