You're not wrong, but I'd still like to be able to block GET. And the
other question is *why* this check isn't done for forms with submit
components (I haven't tried it, but I suspect using a regular button
rather than an ajax button would run into the same issue).

On Fri, Feb 2, 2018, at 14:45, Ernesto Reinaldo Barreiro wrote:
> Hi,
> Maybe I'm wrong but for AJAX only logged in user could get that
> REQUEST to> work because it is page relative.  Or am I completely wrong?
> On Thu, Feb 1, 2018 at 10:45 PM, Carl-Eric Menzel
> <>> wrote:
>> Hi,
>> I've just encountered an interesting oddity. For a normal form
>> submission,>> there is Form#onMethodMismatch where I can decide what should
>> happen if>> somebody calls the form's URL with a GET request rather than
>> the usual>> POST. At least in 6.x and 7.x this is called from
>> onFormSubmitted() - but>> not from onFormSubmitted(submitter).
>> The result is that for forms that have an ajax button and thus
>> a valid>> submitter, I can't stop somebody building a GET request and
>> firing that>> against the button's URL. Theoretically I could override
>> AjaxFormSubmitBehavior's onEvent method, but that doesn't work
>> for ajax>> buttons, which build their own AjaxFormSubmitBehavior.
>> On one of my current projects the customer is quite security-
>> minded and>> would like the application to block these GET requests. My
>> question is: Is>> it intentional that only the regular onFormSubmitted() 
>> method
>> checks this?>> If yes, I'd like to know the reasoning please. If not, I'm 
>> going to
>> write a>> patch to fix this.
>> Or maybe I'm missing something and am going the wrong way
>> entirely. In>> that case, let me know please.
>> Carl-Eric
> --
> Regards - Ernesto Reinaldo Barreiro

Reply via email to