Skip to content

34548 defect tags v2 api silently accepts duplicate tags on both create and import endpoints#34604

Open
hassandotcms wants to merge 7 commits intomainfrom
34548-defect-tags-v2-api-silently-accepts-duplicate-tags-on-both-create-and-import-endpoints
Open

34548 defect tags v2 api silently accepts duplicate tags on both create and import endpoints#34604
hassandotcms wants to merge 7 commits intomainfrom
34548-defect-tags-v2-api-silently-accepts-duplicate-tags-on-both-create-and-import-endpoints

Conversation

@hassandotcms
Copy link
Contributor

@hassandotcms hassandotcms commented Feb 11, 2026

Proposed Changes

  • POST /api/v2/tags (create) now pre-checks tag existence and returns a response with separate created and duplicates lists instead of silently returning existing tags as if newly created
  • POST /api/v2/tags/import now tracks duplicateCount separately from successCount, so successCount only reflects tags that were actually created
  • Updated all Postman test assertions to match the new response contracts

Checklist

  • Tests
  • Translations
  • Security Implications Contemplated (add notes if applicable)

Additional Info

** any additional useful context or info **

Screenshots

Original Updated
** original screenshot ** ** updated screenshot **

This PR fixes: #34548

Both POST /api/v2/tags (create) and POST /api/v2/tags/import silently
accepted duplicate tags without reporting them. The root cause was that
both endpoints relied on tagAPI.getTagAndCreate(), which returns an
existing tag if one already exists — callers could not distinguish
new tags from duplicates.

Changes:
- Create endpoint now pre-checks tag existence via getTagByNameAndHost()
  and returns separate 'created' and 'duplicates' lists in the response
- Import endpoint now tracks duplicateCount separately from successCount;
  successCount only counts tags that were actually created
- Updated Postman tests to match new response contracts
…ct-tags-v2-api-silently-accepts-duplicate-tags-on-both-create-and-import-endpoints
hassandotcms and others added 5 commits February 12, 2026 21:41
… import, and update #34548

The duplicate detection in createTags, importTags, and updateTag was
checking against the form's siteId instead of the resolved tagStorage
host. When a site's tagStorage differs from its own ID (e.g. points to
SYSTEM_HOST or another site), duplicates were silently accepted.
…esource postman test

POST /api/v2/tags returns 200, not 201.
…plicate-tags-on-both-create-and-import-endpoints
…plicate-tags-on-both-create-and-import-endpoints
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

[DEFECT] Tags v2 API silently accepts duplicate tags on both create and import endpoints

4 participants