From 4e93863a4269b9adab93777b6fa57b41842d8a4f Mon Sep 17 00:00:00 2001
From: Niels Vegter <niels@denes.nl>
Date: Thu, 3 Feb 2022 13:41:57 +0000
Subject: [PATCH 1/3] Block api calls to other sites - related ticket
 https://trello.com/c/zRxVliEP

---
 packages/cms/lib/modules/api-proxy/index.js | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/packages/cms/lib/modules/api-proxy/index.js b/packages/cms/lib/modules/api-proxy/index.js
index e352c2032..0f5aed691 100644
--- a/packages/cms/lib/modules/api-proxy/index.js
+++ b/packages/cms/lib/modules/api-proxy/index.js
@@ -21,6 +21,15 @@ module.exports = {
             pathRewrite: {['^' + apiPath]: '/api'},
             onProxyReq: (proxyReq, req, res) => {
 
+                const siteId = req.data.global.siteId;
+                let path = req.path;
+                let match = path.match(/\/api\/site\/(\d+)\//);
+                if (match && match[1] != siteId) {
+                    return res.status(403).json({
+                        'message' : self.apos.i18n.__('The api call is for another site')
+                    });
+                }
+            
                 /**
                  * Validate the request with captcha if send by a form
                  */

From 360d57d6a85173010d5c33fcc0b785e41679ccb8 Mon Sep 17 00:00:00 2001
From: Niels Vegter <niels@denes.nl>
Date: Thu, 3 Feb 2022 13:41:57 +0000
Subject: [PATCH 2/3] Block api calls to other sites - related ticket
 https://trello.com/c/zRxVliEP

---
 packages/cms/lib/modules/api-proxy/index.js | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/packages/cms/lib/modules/api-proxy/index.js b/packages/cms/lib/modules/api-proxy/index.js
index e352c2032..0f5aed691 100644
--- a/packages/cms/lib/modules/api-proxy/index.js
+++ b/packages/cms/lib/modules/api-proxy/index.js
@@ -21,6 +21,15 @@ module.exports = {
             pathRewrite: {['^' + apiPath]: '/api'},
             onProxyReq: (proxyReq, req, res) => {
 
+                const siteId = req.data.global.siteId;
+                let path = req.path;
+                let match = path.match(/\/api\/site\/(\d+)\//);
+                if (match && match[1] != siteId) {
+                    return res.status(403).json({
+                        'message' : self.apos.i18n.__('The api call is for another site')
+                    });
+                }
+            
                 /**
                  * Validate the request with captcha if send by a form
                  */

From 0ee71a392bae17aa89502990261a0ffee4214fec Mon Sep 17 00:00:00 2001
From: Niels Vegter <niels@denes.nl>
Date: Mon, 22 Aug 2022 14:49:40 +0200
Subject: [PATCH 3/3] Optional trailing slash

---
 packages/cms/lib/modules/api-proxy/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/cms/lib/modules/api-proxy/index.js b/packages/cms/lib/modules/api-proxy/index.js
index 0f5aed691..ee19222a8 100644
--- a/packages/cms/lib/modules/api-proxy/index.js
+++ b/packages/cms/lib/modules/api-proxy/index.js
@@ -23,7 +23,7 @@ module.exports = {
 
                 const siteId = req.data.global.siteId;
                 let path = req.path;
-                let match = path.match(/\/api\/site\/(\d+)\//);
+                let match = path.match(/\/api\/site\/(\d+)\/?/);
                 if (match && match[1] != siteId) {
                     return res.status(403).json({
                         'message' : self.apos.i18n.__('The api call is for another site')