From ac5e10158a0639bf59480caeb7df8c2fa2ad2d4c Mon Sep 17 00:00:00 2001
From: Kailash Nadh <kailash@nadh.in>
Date: Mon, 4 Nov 2024 14:01:30 +0530
Subject: [PATCH] Reject query-by-delete API requests with no query. Ref #2122.

---
 cmd/subscribers.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cmd/subscribers.go b/cmd/subscribers.go
index 7947d306..306be690 100644
--- a/cmd/subscribers.go
+++ b/cmd/subscribers.go
@@ -439,6 +439,10 @@ func handleDeleteSubscribersByQuery(c echo.Context) error {
 		return err
 	}
 
+	if req.Query == "" {
+		return echo.NewHTTPError(http.StatusBadRequest, app.i18n.Ts("globals.messages.invalidFields", "name", "query"))
+	}
+
 	if err := app.core.DeleteSubscribersByQuery(req.Query, req.ListIDs, req.SubscriptionStatus); err != nil {
 		return err
 	}