Skip to content

34548 defect tags v2 api silently accepts duplicate tags on both create and import endpoints#34604

Open
hassandotcms wants to merge 7 commits intomainfrom
34548-defect-tags-v2-api-silently-accepts-duplicate-tags-on-both-create-and-import-endpoints
Open

34548 defect tags v2 api silently accepts duplicate tags on both create and import endpoints#34604
hassandotcms wants to merge 7 commits intomainfrom
34548-defect-tags-v2-api-silently-accepts-duplicate-tags-on-both-create-and-import-endpoints

Conversation

@hassandotcms
Copy link
Contributor

@hassandotcms hassandotcms commented Feb 11, 2026
edited by github-actions bot
Loading

Proposed Changes

  • POST /api/v2/tags (create) now pre-checks tag existence and returns a response with separate created and duplicates lists instead of silently returning existing tags as if newly created
  • POST /api/v2/tags/import now tracks duplicateCount separately from successCount, so successCount only reflects tags that were actually created
  • Updated all Postman test assertions to match the new response contracts

Checklist

  • Tests
  • Translations
  • Security Implications Contemplated (add notes if applicable)

Additional Info

** any additional useful context or info **

Screenshots

Original Updated
** original screenshot ** ** updated screenshot **

This PR fixes: #34548

@hassandotcms
fix(tags): report duplicate tags on create and import endpoints #34548
73648b4 
Both POST /api/v2/tags (create) and POST /api/v2/tags/import silently
accepted duplicate tags without reporting them. The root cause was that
both endpoints relied on tagAPI.getTagAndCreate(), which returns an
existing tag if one already exists — callers could not distinguish
new tags from duplicates.

Changes:
- Create endpoint now pre-checks tag existence via getTagByNameAndHost()
  and returns separate 'created' and 'duplicates' lists in the response
- Import endpoint now tracks duplicateCount separately from successCount;
  successCount only counts tags that were actually created
- Updated Postman tests to match new response contracts
@hassandotcms
Merge branch 'main' of https://github.com/dotCMS/core into 34548-defe…
26795cf 
…ct-tags-v2-api-silently-accepts-duplicate-tags-on-both-create-and-import-endpoints
@hassandotcms hassandotcms linked an issue Feb 11, 2026 that may be closed by this pull request
[DEFECT] Tags v2 API silently accepts duplicate tags on both create and import endpoints #34548
Open
5 tasks
@github-actions github-actions bot mentioned this pull request Feb 11, 2026
Open
5 tasks
hassandotcms and others added 5 commits February 12, 2026 21:41
@hassandotcms
fix(tags): resolve tag storage host before duplicate check on create,…
af20180 
… import, and update #34548

The duplicate detection in createTags, importTags, and updateTag was
checking against the form's siteId instead of the resolved tagStorage
host. When a site's tagStorage differs from its own ID (e.g. points to
SYSTEM_HOST or another site), duplicates were silently accepted.
@hassandotcms
merge: resolve conflict in TagResource.java, use effectiveSiteId from…
3af9d56 
… main for updateTag duplicate check
@hassandotcms
fix(test): correct expected status code for tag creation in Content_R…
31601e3 
…esource postman test

POST /api/v2/tags returns 200, not 201.
@fmontes
Merge branch 'main' into 34548-defect-tags-v2-api-silently-accepts-du…
c41bb29 
…plicate-tags-on-both-create-and-import-endpoints
@hassandotcms
Merge branch 'main' into 34548-defect-tags-v2-api-silently-accepts-du…
ad17dfc 
…plicate-tags-on-both-create-and-import-endpoints
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jcastro-dotcms jcastro-dotcms jcastro-dotcms approved these changes

@fabrizzio-dotCMS fabrizzio-dotCMS fabrizzio-dotCMS approved these changes

Assignees

No one assigned

Labels

None yet

Projects

dotCMS - Product Planning
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[DEFECT] Tags v2 API silently accepts duplicate tags on both create and import endpoints

4 participants

@hassandotcms @jcastro-dotcms @fabrizzio-dotCMS @fmontes