Maybe I'm wrong but for AJAX only logged in user could get that REQUEST to
work because it is page relative.  Or am I completely wrong?

On Thu, Feb 1, 2018 at 10:45 PM, Carl-Eric Menzel <cmen...@wicketbuch.de>

> Hi,
> I've just encountered an interesting oddity. For a normal form submission,
> there is Form#onMethodMismatch where I can decide what should happen if
> somebody calls the form's URL with a GET request rather than the usual
> POST. At least in 6.x and 7.x this is called from onFormSubmitted() - but
> not from onFormSubmitted(submitter).
> The result is that for forms that have an ajax button and thus a valid
> submitter, I can't stop somebody building a GET request and firing that
> against the button's URL. Theoretically I could override
> AjaxFormSubmitBehavior's onEvent method, but that doesn't work for ajax
> buttons, which build their own AjaxFormSubmitBehavior.
> On one of my current projects the customer is quite security-minded and
> would like the application to block these GET requests. My question is: Is
> it intentional that only the regular onFormSubmitted() method checks this?
> If yes, I'd like to know the reasoning please. If not, I'm going to write a
> patch to fix this.
> Or maybe I'm missing something and am going the wrong way entirely. In
> that case, let me know please.
> Carl-Eric

Regards - Ernesto Reinaldo Barreiro

Reply via email to