You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Instead of asserting an exception is thrown, each test now asserts the executed Solr query equals +(entity_group:free) — i.e., the malicious field was dropped entirely and only the safe access-control clause reached Solr.
Component:solr-plugin — AdvContentSearchController
(GET /api/plugins/advcontentsearch/contents, GET /api/plugins/advcontentsearch/facetedcontents)
Summary
Malformed and empty search filters no longer cause the endpoint to fail with HTTP 500
(RuntimeException: "Error: Key required"). Filter input is now validated and handled
explicitly.
Behavior changes (all previously resulted in HTTP 500)
Filter with a value/criteria but no field to search on (no attribute, no entityAttr,
and not a full-text filter) → now HTTP 400 Bad Request (error code 101, filtering.filter.attr.name.invalid). The request is rejected rather than silently executed,
so a mistyped filter can no longer return a broader result set than intended.
Empty placeholder filters (e.g. sparse indexing such as filters[99] leaving filters[0..98] empty, or an auto-grown/blank filter with no field and no value) → now
ignored; the request proceeds with its remaining valid filters and returns HTTP 200.
A WARN is logged for each discarded filter.
Full-text filter with a null attribute (filters[i].fullText=true carrying the term in value) → now HTTP 200; previously a NullPointerException / HTTP 500.
No change to successful requests
Valid requests are unaffected: returned content, result counts, ordering, faceting, and
pagination metadata are identical to previous releases. The only observable differences are the
error responses listed above.
Upgrade impact / client action
Clients that (incorrectly) relied on receiving a 500 for the cases above should expect 400 or 200 accordingly.
Clients sending filters without a searchable attribute (other than full-text) will now
receive a descriptive 400 — update those requests to include a valid attribute or entityAttr, or mark the filter fullText=true.
No API contract, request schema, or successful-response format changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stacktrace replaced with a WARN
Instead of asserting an exception is thrown, each test now asserts the executed Solr query equals +(entity_group:free) — i.e., the malicious field was dropped entirely and only the safe access-control clause reached Solr.