AssetsController::show() returns 500 when Asset::find() returns null #13739
Description
Bug Description
AssetsController::show() passes the return value of Asset::find() directly into new AssetResource($asset) without a null guard. When the asset cannot be resolved (e.g. due to a Stache race condition), AssetResource::toArray() calls $this->id() on a null resource, resulting in a 500 error.
The fix would be to add abort_unless($asset, 404) (or similar) before constructing the resource, matching the pattern used in other CP controllers.
Relevant code in src/Http/Controllers/CP/Assets/AssetsController.php:
public function show($asset)
{
$asset = Asset::find(base64_decode($asset));
// TODO: Auth <-- also noted in source
return new AssetResource($asset);
}How to Reproduce
- Send a
GETrequest to thestatamic.cp.assets.showroute with a base64-encoded asset reference thatAsset::find()cannot resolve (e.g. a recently uploaded asset before Stache indexes it, or a stale/invalid reference) - Observe 500:
Call to a member function id() on null
Logs
Error: Call to a member function id() on null
at vendor/laravel/framework/src/Illuminate/Support/Traits/ForwardsCalls.php:23
#0 vendor/laravel/framework/src/Illuminate/Http/Resources/DelegatesToResource.php(155): JsonResource->forwardCallTo()
#1 vendor/statamic/cms/src/Http/Resources/CP/Assets/Asset.php(14): JsonResource->__call()
#2 vendor/laravel/framework/src/Illuminate/Http/Resources/Json/JsonResource.php(139): Asset->toArray()
Environment
| Detail | Value |
|---|---|
| Laravel Version | 12.47.0 |
| PHP Version | 8.4.16 |
| Statamic Version | 5.72.0 Solo |
| Static Caching | half |
Installation: Existing Laravel app
Additional Details
Also confirmed the same missing null guard exists on the 6.x branch (v6.1.0).