fix(mapper): reject redundant namespace prefix in to= and controller= (#2794)

wheels-bot[bot] · github-actions[bot] · bpamiri · web-flow · commit 950a7f8fa8cf · 2026-05-22T08:01:02.000-07:00
* fix(mapper): reject redundant namespace prefix in to= and controller= Inside `.namespace("foo")` (or equivalent `.scope()` / `.package()`), writing `to="foo/dashboard##index"` instead of `to="dashboard##index"` silently produced a `foo.foo/dashboard` controller path that downstream got flattened to a `Foodashboard`-style class lookup with an opaque `Wheels.ViewNotFound` error — leaving users to chase the symptom rather than the route definition. `$match()` now detects when the parsed controller starts with the scope's package converted to slash form and throws `Wheels.MapperArgumentInvalid` at registration time. The error names the namespace and the offending value and points at the correct shorter form. Fixes #2791 Signed-off-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> * fix(mapper): address Reviewer A/B consensus findings (round 1) - Snapshot `local.fromTo` / `local.originalTo` before the `to=` parse block so the error detail can distinguish `to=` vs direct `controller=` callers (Reviewer A nit). - Add `Len(arguments.package) > 0` to the guard's outer condition so an empty package does not yield `prefix = "/"` and spuriously reject controllers whose path starts with a slash (Reviewer A response, Reviewer B round-1 missed-issue). - Collapse multi-line block comments above the guard in `matching.cfc` and above the new `it()` group in `MatchingSpec.cfc` to one-liners to comply with CLAUDE.md style (both reviewers). - Add a spec asserting `$match()` with `package = ""` and a controller starting with `/` is not falsely rejected. Signed-off-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> * fix(mapper): address Reviewer A/B consensus findings (round 2) - vendor/wheels/mapper/matching.cfc:328 — change local.hh = "##" to local.hh = "####" so the error-suggestion detail renders as to="dashboard##index" (source-correct CFML), not to="dashboard#index" (Reviewer A finding, Reviewer B verified). - vendor/wheels/tests/specs/mapper/MatchingSpec.cfc:241–242 — collapse the 2-line comment inside the "Allows controllers..." spec body to a single line per CLAUDE.md "one short line max" rule (both reviewers). Signed-off-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> --------- Signed-off-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Signed-off-by: Peter Amiri <peter@alurium.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Peter Amiri <peter@alurium.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,6 +22,7 @@ All historical references to "CFWheels" in this changelog have been preserved fo
 
 ### Fixed
 
+- Routes registered inside `.namespace("foo")` (or equivalent `.scope()` / `.package()`) with a redundant namespace prefix in the controller path — e.g. `to="foo/dashboard##index"` instead of `to="dashboard##index"` — previously silently produced a `foo.foo/dashboard` lookup that downstream flattened to a `Foodashboard`-style class name with an opaque `Wheels.ViewNotFound` error. The Mapper now rejects this at route-registration time with `Wheels.MapperArgumentInvalid`, naming the namespace and the offending value and pointing at the correct shorter form, so users can find the bad route definition instead of chasing the symptom (#2791)
 - `WheelsTest` auto-bind missed user-defined global helpers added via `include` in `app/global/functions.cfm`. The pseudo-constructor used `getMetaData(application.wo).functions`, which only enumerates methods declared directly on the CFC and skips symbols merged in via `cfinclude`. Specs that called custom helpers (e.g. `can()`, `hasRole()`) had to manually rebind each one in `beforeAll()`. The auto-bind now iterates `application.wo` as a struct and binds every UDF via `isCustomFunction()`, preserving the existing public-only filter for declared methods (#2790)
 - Model layer SELECT clause builder now routes column identifiers through the adapter's `$quoteIdentifier`, so reserved-word column names (e.g. `key`, `order`, `group`) survive on every supported dialect instead of breaking `findAll` / `findOne` / dynamic finders with cryptic SQL syntax errors. The WHERE / ORDER BY paths already quoted columns; `$createSQLFieldList` and the empty-pagination column-list extraction in `read.cfc` now match.
 - `wheels packages install <name>` is now a transparent alias for `wheels packages add <name>` on every caller path that actually reaches `Module.cfc` (stdio MCP server, scripted in-process clients, spec suite). Previously the dispatch layer's `case "install":` branch printed a yellow warning to stdout and returned `""` without installing anything — so even though `PackagesMainCli.install()` itself had been a true alias for `add()` since #2729, any caller routing through the CLI module's verb dispatch silently no-op'd. The shell-facing `wheels packages install <name>` form is still intercepted by LuCLI's built-in extension installer upstream of module dispatch and remains broken on that path (and is documented as such in the module-owned help text), but MCP tool calls and programmatic callers now behave identically to `add`. Both branches now share a single fall-through body so the validation, error shape, and install behavior cannot drift apart again.
diff --git a/vendor/wheels/mapper/matching.cfc b/vendor/wheels/mapper/matching.cfc
@@ -303,12 +303,42 @@ component {
 		}
 
 		// Interpret "to" as "controller##action".
+		local.fromTo = false;
+		local.originalTo = "";
 		if (StructKeyExists(arguments, "to")) {
+			local.fromTo = true;
+			local.originalTo = arguments.to;
 			arguments.controller = ListFirst(arguments.to, "##");
 			arguments.action = ListLast(arguments.to, "##");
 			StructDelete(arguments, "to");
 		}
 
+		// Guard: reject redundant namespace prefix in to=/controller= (#2791).
+		if (
+			StructKeyExists(arguments, "package")
+			&& Len(arguments.package) > 0
+			&& StructKeyExists(arguments, "controller")
+			&& Find("/", arguments.controller)
+		) {
+			local.packageAsPath = Replace(arguments.package, ".", "/", "all");
+			local.prefix = local.packageAsPath & "/";
+			if (Len(arguments.controller) > Len(local.prefix) && Left(arguments.controller, Len(local.prefix)) == local.prefix) {
+				local.stripped = Mid(arguments.controller, Len(local.prefix) + 1, Len(arguments.controller) - Len(local.prefix));
+				local.actionForMsg = StructKeyExists(arguments, "action") ? arguments.action : "action";
+				local.hh = "####";
+				if (local.fromTo) {
+					local.detail = "Got controller=""" & arguments.controller & """ (from to=""" & local.originalTo & """). The namespace prefix is added automatically — use to=""" & local.stripped & local.hh & local.actionForMsg & """ instead.";
+				} else {
+					local.detail = "Got controller=""" & arguments.controller & """ (passed as controller=). The namespace prefix is added automatically — use controller=""" & local.stripped & """ (or to=""" & local.stripped & local.hh & local.actionForMsg & """) instead.";
+				}
+				Throw(
+					type = "Wheels.MapperArgumentInvalid",
+					message = "Route inside `.namespace('#arguments.package#')` (or equivalent `.scope()` / `.package()`) uses a redundant namespace prefix in its controller path.",
+					detail = local.detail
+				);
+			}
+		}
+
 		// Pull route name from arguments if it exists.
 		local.name = "";
 		if (StructKeyExists(arguments, "name")) {
diff --git a/vendor/wheels/tests/specs/mapper/MatchingSpec.cfc b/vendor/wheels/tests/specs/mapper/MatchingSpec.cfc
@@ -197,6 +197,77 @@ component extends="wheels.WheelsTest" {
                 expect(r[4]).toHaveKey("redirect")
                 expect(r[5]).toHaveKey("redirect")
             });
+
+            // Guard against redundant namespace prefix in to=/controller= (#2791).
+            it("Rejects to= with redundant namespace prefix", function(){
+                expect(function() {
+                    m.$draw()
+                    .namespace("datapai")
+                        .get(name = "datapaiDashboard", pattern = "dashboard", to = "datapai/dashboard##index")
+                    .end()
+                    .end();
+                }).toThrow(type = "Wheels.MapperArgumentInvalid");
+            });
+            it("Rejects controller= with redundant namespace prefix", function(){
+                expect(function() {
+                    m.$draw()
+                    .namespace("admin")
+                        .$match(name = "dashboard", method = "get", controller = "admin/dashboard", action = "index")
+                    .end()
+                    .end();
+                }).toThrow(type = "Wheels.MapperArgumentInvalid");
+            });
+            it("Rejects redundant prefix in nested namespaces", function(){
+                expect(function() {
+                    m.$draw()
+                    .namespace("admin")
+                        .namespace("users")
+                            .get(name = "edit", pattern = "edit", to = "admin/users/profile##edit")
+                        .end()
+                    .end()
+                    .end();
+                }).toThrow(type = "Wheels.MapperArgumentInvalid");
+            });
+            it("Rejects redundant prefix inside .package() too", function(){
+                expect(function() {
+                    m.$draw()
+                    .package("admin")
+                        .get(name = "users", pattern = "users", to = "admin/users##index")
+                    .end()
+                    .end();
+                }).toThrow(type = "Wheels.MapperArgumentInvalid");
+            });
+            it("Allows controllers whose name only happens to share a prefix with the namespace", function(){
+                // "foobar/dashboard" inside .namespace("foo") is not a redundant prefix — "foobar" != "foo".
+                m.$draw()
+                .namespace("foo")
+                    .get(name = "dashboard", pattern = "dashboard", to = "foobar/dashboard##index")
+                .end()
+                .end();
+                r = m.getRoutes();
+                expect(r).toBeArray();
+                expect(ArrayLen(r) >= 1).toBeTrue();
+            });
+            it("Accepts the correct (non-redundant) form inside a namespace", function(){
+                m.$draw()
+                .namespace("datapai")
+                    .get(name = "datapaiDashboard", pattern = "dashboard", to = "dashboard##index")
+                .end()
+                .end();
+                r = m.getRoutes();
+                expect(r).toBeArray();
+                expect(ArrayLen(r) >= 1).toBeTrue();
+                expect(r[1].controller).toBe("datapai.dashboard");
+                expect(r[1].action).toBe("index");
+            });
+            it("Does not falsely reject when package is empty", function(){
+                m.$draw()
+                    .$match(name = "edge", method = "get", pattern = "edge", controller = "/users", action = "index", package = "")
+                .end();
+                r = m.getRoutes();
+                expect(r).toBeArray();
+                expect(ArrayLen(r) >= 1).toBeTrue();
+            });
         });
     }
 
