Skip to content

revert(urlmap): revert PR #35345 #35622

Merged
dsilvam merged 1 commit into
mainfrom
issue-35621-revert-url-mapping-problem
May 8, 2026
Merged

revert(urlmap): revert PR #35345 #35622
dsilvam merged 1 commit into
mainfrom
issue-35621-revert-url-mapping-problem

Conversation

@gortiz-dotcms
Copy link
Copy Markdown
Member

@gortiz-dotcms gortiz-dotcms commented May 8, 2026
edited by github-actions Bot
Loading

cross-site URL map fallback caused multi-tenant content bleed

Reverts all changes introduced by PR #35345 (fix: url map 404 on different host).

The unrestricted cross-site fallback added in that PR — which removed the conhost filter from the ES query when the host-restricted query returned no results — caused a production incident (#35616): in multi-brand/multi-tenant setups, content from one site was silently rendered on a different site's pages.

This revert restores the original host-restricted single-query behavior. The getDetailPageUri() fallback (which allowed detail pages on a different host) is also reverted; it will be reintroduced correctly in the follow-up fix.

This PR fixes: #35621

This PR fixes: #35621

@gortiz-dotcms @claude
revert(urlmap): revert PR #35345 — cross-site URL map fallback caused…
c02bba5 
… multi-tenant content bleed

Reverts all changes introduced by PR #35345 (fix: url map 404 on different host).

The unrestricted cross-site fallback added in that PR — which removed the conhost
filter from the ES query when the host-restricted query returned no results — caused
a production incident (#35616): in multi-brand/multi-tenant setups, content from one
site was silently rendered on a different site's pages.

This revert restores the original host-restricted single-query behavior. The
getDetailPageUri() fallback (which allowed detail pages on a different host) is also
reverted; it will be reintroduced correctly in the follow-up fix.

Closes #35621
See also: #35616, #35268

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions github-actions Bot mentioned this pull request May 8, 2026
Closed
4 tasks
@claude
Copy link
Copy Markdown
Contributor

claude Bot commented May 8, 2026
edited
Loading

Claude finished @gortiz-dotcms's task in 53s —— View job

dotCMS Backend Review — Complete ✅

  • Loaded dotCMS conventions
  • Got the Java diff (HEAD~1..HEAD, scope: *.java)
  • Ran 4 specialized review sub-agents in parallel
    • Security: NO_FINDINGS — tenant isolation correctly restored, no permission/secret/SQL issues
    • Database: NO_FINDINGS — no raw SQL or write paths; ES query inputs are system-controlled or ESUtils-escaped
    • Java Standards: NO_FINDINGS — Java 11 syntax, generics, Logger/APILocator all conformant
    • REST API: NO_FINDINGS — internal API, not a JAX-RS resource (rules don't apply)
  • Posted consolidated review comment (link)
  • Formal review skipped — I'm not permitted to approve PRs (FAQ)

Summary

This is a clean revert that restores the original host-restricted ES query behavior in URLMapAPIImpl, eliminating the cross-site fallback that caused multi-tenant content bleed (#35616). The diff also drops the per-request contentlet cache that PR #35345 added (it was only there to amortize the second ES query that this revert removes). Test changes are cosmetic — extracted constants and removed two tests that exercised the now-removed cross-site fallback.

No backend findings flagged across security, database, Java standards, or REST API dimensions.
• Branch: issue-35621-revert-url-mapping-problem

@github-actions github-actions Bot added the Area : Backend PR changes Java/Maven backend code label May 8, 2026
@claude
Copy link
Copy Markdown
Contributor

claude Bot commented May 8, 2026

dotCMS Backend Review: no issues found.

@gortiz-dotcms gortiz-dotcms marked this pull request as ready for review May 8, 2026 15:51
@dsilvam dsilvam added this pull request to the merge queue May 8, 2026
Merged via the queue into main with commit 60b10d5 May 8, 2026
52 checks passed
@dsilvam dsilvam deleted the issue-35621-revert-url-mapping-problem branch May 8, 2026 16:51
@dsilvam dsilvam mentioned this pull request May 8, 2026
Closed
@dsilvam dsilvam linked an issue May 8, 2026 that may be closed by this pull request
bug(url-map): cross-site content bleed in multi-brand setups — unrestricted fallback query returns wrong tenant's content #35616
Closed
@claude claude Bot mentioned this pull request May 15, 2026
Merged
2 tasks
@dsilvam dsilvam mentioned this pull request Jun 5, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dsilvam dsilvam dsilvam approved these changes

Assignees

No one assigned

Labels

AI: Safe To Rollback Area : Backend PR changes Java/Maven backend code

Projects

dotCMS - Product Planning
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Revert #35345 bug(url-map): cross-site content bleed in multi-brand setups — unrestricted fallback query returns wrong tenant's content

2 participants

@gortiz-dotcms @dsilvam