Sanity PHP client cannot send array params in GROQ queries #39
Description
If you find a security vulnerability, do NOT open an issue. Email security@sanity.io instead.
Describe the bug
You cannot do a sanity request (post) with params that are non-scalar (i.e. 'ids' => [1,2,3]), example:
use Sanity\Client;
$client = new Client([
'projectId' => 'myProject',
'dataset' => 'production',
'token' => 'myToken',
'apiVersion'=> '2023-08-01',
'useCdn' => false,
]);
$query = '*[railcontent_id in $ids]{_id, title}';
$response = $client->request([
'method' => 'POST',
'url' => "/data/query/production",
'headers' => [
'Content-Type' => 'application/json',
],
'body' => json_encode([
'query' => $query,
'params' => [
'ids' => [1, 2, 3], // <--- array param
],
]),
]);
Error: Unexpected value of type "array" for field "params"
Expected behavior
According to GROQ and Sanity’s query API spec, params can be JSON literals, which should include arrays. The example above should work and return matching documents. Instead, the PHP client (or the API endpoint it calls) rejects array params.
Screenshots
N/A, here's a JSON RFC error instead bubbled up from a Laravel exception class:
{
"type": "https://www.rfc-editor.org/rfc/rfc9110.html#name-status-codes",
"title": "An error occurred",
"status": "Bad Request",
"detail": "Unexpected value of type \"array\" for field \"params\" at offset 854"
}
Which versions of Sanity are you using?
^1.5
What operating system are you using?
ubuntu
Which versions of Node.js / npm are you running?
11.4.2
Additional context
Add any other context about the problem here.
Security issue?
Any security issues should be submitted directly to security@sanity.io. In order to determine whether you are dealing with a security issue, ask yourself these two questions:
- Can I access something that's not mine, or something I shouldn't have access to?
- Can I disable something for other people? If the answer to either of those two questions are "yes", then you're probably dealing with a security issue. Note that even if you answer "no" to both questions, you may still be dealing with a security issue, so if you're unsure, just email us at [security@sanity.io](mailto:security@sanity.io.