On Monday, 8 September 2014 6:44 p.m. Dan Haywood <[email protected]> wrote:
> > Is the URL for an entity? Or the URL for a (query) action? I'm talking about bookmarkable URL's in the format http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<class name>:1&actionType=USER&actionOwningSpec=<class name>&actionId=<method description>&pageTitle=<page title>&actionMode=PARAMETERS It allows the execution of the method. Calling via the restfulobjects API /resultful/services/<serviceName>/actions/<methodName>/invoke Fails with a 404 as expected when logging in with a user that has no access. > If the URL you are pasting in is for a query action, and it is firing, then > you have indeed found an issue. Our security tester managed to call a method that created new entities. ------------------------------- This email and any attachments may contain information that is confidential and subject to legal privilege. If you are not the intended recipient, any use, dissemination, distribution or duplication of this email and attachments is prohibited. If you have received this email in error please notify the author immediately and erase all copies of the email and attachments. The Ministry of Social Development accepts no responsibility for changes made to this message or attachments after transmission from the Ministry. -------------------------------
