Avoid direct access to reviews list Ajax

Ilan Parmentier · web-flow · commit 55166494a1ba · 2021-08-20T20:28:15.000+02:00
Good evening,

Do not know wether it is intentional,

But you can access directly to the reviews list Ajax controller 

You can give it a try :
/review/product/listAjax/id/111111616
=&gt; Display the raw output in the browser.

Why not restrain this page to Ajax only.

Give me your think,

Ilan Parmentier
diff --git a/app/code/Magento/Review/Controller/Product/ListAjax.php b/app/code/Magento/Review/Controller/Product/ListAjax.php
@@ -22,7 +22,8 @@ class ListAjax extends ProductController implements HttpGetActionInterface
      */
     public function execute()
     {
-        if (!$this->initProduct()) {
+        if (!$this->getRequest()->isAjax() 
+            || !$this->initProduct()) {
             /** @var \Magento\Framework\Controller\Result\Forward $resultForward */
             $resultForward = $this->resultFactory->create(ResultFactory::TYPE_FORWARD);
             return $resultForward->forward('noroute');
