[jira] [Comment Edited] (WW-4596) Strict DMI causes This method: for action is not allowed!

Wed, 03 Feb 2016 04:02:01 -0800 

    [ 
https://issues.apache.org/jira/browse/WW-4596?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15130280#comment-15130280
 ] 

Greg Huber edited comment on WW-4596 at 2/3/16 12:00 PM:
---------------------------------------------------------

The save from above is from the parent package, so I thought I would try 

action:myView!cancelWithSearch

ie method  cancelWithSearch.  This should definitely be blocked, but it passes.

Here are the allows:
{noformat}
[LiteralAllowedMethod{allowedMethod='cancel'}, 
LiteralAllowedMethod{allowedMethod='cancelz*'},
 LiteralAllowedMethod{allowedMethod='add*'},
 LiteralAllowedMethod{allowedMethod='previous'},
 PatternAllowedMethod{allowedMethodPattern=(.*), original='{1}'},
 LiteralAllowedMethod{allowedMethod='save'},
 LiteralAllowedMethod{allowedMethod='back'},
 LiteralAllowedMethod{allowedMethod='index'},
 LiteralAllowedMethod{allowedMethod='list'},
 LiteralAllowedMethod{allowedMethod='execute'},
 LiteralAllowedMethod{allowedMethod='delete'},
 LiteralAllowedMethod{allowedMethod='search*'},
 LiteralAllowedMethod{allowedMethod='input'},
 LiteralAllowedMethod{allowedMethod='delete*'},
 LiteralAllowedMethod{allowedMethod='publish'},
 LiteralAllowedMethod{allowedMethod='expire'},
 LiteralAllowedMethod{allowedMethod='savez'},
 LiteralAllowedMethod{allowedMethod='browse'}]
{noformat}

allowed methods:
{noformat}
myView!*
cancel
cancelz*
add*
previous
{1}
save
back
index
list
execute
delete
search*
input
delete*
publish
expire
savez
browse
{noformat}

There is a {1} in the list which generates 
PatternAllowedMethod{allowedMethodPattern=(.*), original='{1}'}.

If I remove the {1}  from the list:

{code:java}
Set<String> set = orig.getAllowedMethods();
Set<String> newSet = new HashSet<>(); 
for (String string : set) {
        System.out.println(string);
        if (!"{1}".equals(string)) {
                newSet.add(string);
                }
        }
}
{code}

and use .addAllowedMethod(newSet);  It starts working ie blocking.

{code:xml}
<action name="myView!*" method="{1}"
                class="ui.struts2.editor.MyView">
{code:xml}

It seems to be getting the {1} from the action.  What class builds the allows 
and I will try to debug it. 


was (Author: gregh99):
The save from above is from the parent package, so I thought I would try 

action:myView!cancelWithSearch

ie method  cancelWithSearch.  This should definitely be blocked, but it passes.

Here are the allows:
{noformat}
[LiteralAllowedMethod{allowedMethod='cancel'}, 
LiteralAllowedMethod{allowedMethod='cancelz*'},
 LiteralAllowedMethod{allowedMethod='add*'},
 LiteralAllowedMethod{allowedMethod='previous'},
 PatternAllowedMethod{allowedMethodPattern=(.*), original='{1}'},
 LiteralAllowedMethod{allowedMethod='save'},
 LiteralAllowedMethod{allowedMethod='back'},
 LiteralAllowedMethod{allowedMethod='index'},
 LiteralAllowedMethod{allowedMethod='list'},
 LiteralAllowedMethod{allowedMethod='execute'},
 LiteralAllowedMethod{allowedMethod='delete'},
 LiteralAllowedMethod{allowedMethod='search*'},
 LiteralAllowedMethod{allowedMethod='input'},
 LiteralAllowedMethod{allowedMethod='delete*'},
 LiteralAllowedMethod{allowedMethod='publish'},
 LiteralAllowedMethod{allowedMethod='expire'},
 LiteralAllowedMethod{allowedMethod='savez'},
 LiteralAllowedMethod{allowedMethod='browse'}]
{noformat}

allowed methods:
{noformat}
myView!*
cancel
cancelz*
add*
previous
{1}
save
back
index
list
execute
delete
search*
input
delete*
publish
expire
savez
browse
{noformat}

There is a {1} in the list which generates 
PatternAllowedMethod{allowedMethodPattern=(.*), original='{1}'}.

If I remove the {1}  from the list:
{code:java}
Set<String> set = orig.getAllowedMethods();
Set<String> newSet = new HashSet<>(); 
for (String string : set) {
        System.out.println(string);
        if (!"{1}".equals(string)) {
                newSet.add(string);
                }
        }
}
{code}

and use .addAllowedMethod(newSet);  It starts working ie blocking.

{code:xml}
<action name="myView!*" method="{1}"
                class="ui.struts2.editor.MyView">
{code:xml}

It seems to be getting the {1} from the action.  What class builds the allows 
and I will try to debug it. 

> Strict DMI causes This method: for action is not allowed!  
> -----------------------------------------------------------
>
>                 Key: WW-4596
>                 URL: https://issues.apache.org/jira/browse/WW-4596
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Actions
>    Affects Versions: 2.5
>            Reporter: Greg Huber
>             Fix For: 2.5
>
>
> I have tried adding
> {code:xml}
> <global-allowed-methods>execute,input,cancel</global-allowed-methods>
> {code}
> and get
> {noformat}
> This method: cancel for action eventAdd is not allowed! - [unknown location]
> {noformat}
> {code:xml}
> <action name="eventAdd!*" method="{1}"
>                 class="ui.struts2.editor.EventAdd">
>             <result name="input" type="tiles">.EventAdd</result>
>             <result name="success" type="chain">eventEdit</result>
>             <result name="cancel" type="redirectAction">
>                 <param name="actionName">memberEvents</param>
>                 <param name="pgn">${bean.pageNum}</param>
>                 <param name="suppressEmptyParameters">true</param>
>             </result>
>         </action>
> {code}
> checking ActionConfig:
> {code:java}
> public boolean isAllowedMethod(String method) {
>         return method.equals(methodName != null ? methodName : 
> DEFAULT_METHOD) || allowedMethods.isAllowed(method);
>     }
> {code}
> Debugging  I get a calls to isAllowedMethod with :
> {noformat}
> 1 methodName = {1}​ and method = execute
> 2 methodName = execute and method = cancel
> {noformat}
> ​Only #1 has the required cancel
> #2 there is only a {{\[LiteralAllowedMethod\{allowedMethod='execute'\}\]}}
> On further investigation 
> {{com.opensymphony.xwork2.config.implActionConfigMatcher}} seems to create a 
> new ActionConfig but then only uses the default allowed names:
> {code:java}
> return new ActionConfig.Builder(pkgName, orig.getName(), className)
>                 .methodName(methodName)
>                 .addParams(params)
>                 .addResultConfigs(results)
>                 .addInterceptors(orig.getInterceptors())
>                 .addExceptionMappings(exs)
>                 .location(orig.getLocation())
>                 .build();
> {code}
> Could use the original by appending 
> .addAllowedMethod(orig.getAllowedMethods()), but I guess it should come from 
> the ActionConfig stored in the packageContext or wherever the orig object 
> gets its allowedMethods from.
> Cheers Greg



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to