OK, thanks for the clarification. Could you raise a ticket for this (as well as one for the issue on the other thread).
~~~ A minor point (not that this negates the fact that a fix is needed to Isis)... only query-only actions, ie those that are declared to have no side-effects using @ActionSemantics(Of.SAFE actions, are bookmarkable. So if you have a bookmarked action that is creating objects, then you ought to adjust its action semantics. In your particular case this might be a workaround to the security risk that's been flagged. Thx Dan On 8 September 2014 21:32, Christopher Fairhall < [email protected]> wrote: > On Monday, 8 September 2014 6:44 p.m. Dan Haywood < > [email protected]> wrote: > > > > > Is the URL for an entity? Or the URL for a (query) action? > > I'm talking about bookmarkable URL's in the format > http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class > name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<class > name>:1&actionType=USER&actionOwningSpec=<class name>&actionId=<method > description>&pageTitle=<page title>&actionMode=PARAMETERS > > It allows the execution of the method. > > Calling via the restfulobjects API > /resultful/services/<serviceName>/actions/<methodName>/invoke > Fails with a 404 as expected when logging in with a user that has no > access. > > > > > If the URL you are pasting in is for a query action, and it is firing, > then you have indeed found an issue. > > Our security tester managed to call a method that created new entities. > > ------------------------------- > This email and any attachments may contain information that is > confidential and subject to legal privilege. If you are not the intended > recipient, any use, dissemination, distribution or duplication of this > email and attachments is prohibited. If you have received this email in > error please notify the author immediately and erase all copies of the > email and attachments. The Ministry of Social Development accepts no > responsibility for changes made to this message or attachments after > transmission from the Ministry. > > ------------------------------- >
