On Tuesday, 9 September 2014 8:07 p.m. Dan Haywood <[email protected]> wrote:
> A minor point (not that this negates the fact that a fix is needed to > Isis)... only query-only actions, > ie those that are declared to have no side-effects using > @ActionSemantics(Of.SAFE actions, > are bookmarkable. So if you have a bookmarked action that is creating > objects, then you ought > to adjust its action semantics. In your particular case this might be a > workaround to the security > risk that's been flagged. We haven’t used @ActionSemantics(Of.SAFE) on the create methods, only the query methods. I believe the default is Of.NON_IDEMPOTENT It's not the invocation that's being accessed by the bookmarkable URL, it's the form to enter the parameters. Clicking the "OK" button on that form invokes the method. The actual URL that causes the method invocation is POST http://localhost:7001/rma/wicket/wicket/page?1-1.IFormSubmitListener-action-parameters-inputForm with a standard x-www-form-urlencoded post body. On 8 September 2014 21:32, Christopher Fairhall < [email protected]> wrote: > On Monday, 8 September 2014 6:44 p.m. Dan Haywood < > [email protected]> wrote: > > > > > Is the URL for an entity? Or the URL for a (query) action? > > I'm talking about bookmarkable URL's in the format > http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class > name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<clas > name>s :1&actionType=USER&actionOwningSpec=<class > name>name>&actionId=<method > description>&pageTitle=<page title>&actionMode=PARAMETERS > > It allows the execution of the method. > > Calling via the restfulobjects API > /resultful/services/<serviceName>/actions/<methodName>/invoke > Fails with a 404 as expected when logging in with a user that has no > access. > > > > > If the URL you are pasting in is for a query action, and it is > > firing, > then you have indeed found an issue. > > Our security tester managed to call a method that created new entities. > > ------------------------------- > This email and any attachments may contain information that is > confidential and subject to legal privilege. If you are not the > intended recipient, any use, dissemination, distribution or > duplication of this email and attachments is prohibited. If you have > received this email in error please notify the author immediately and > erase all copies of the email and attachments. The Ministry of Social > Development accepts no responsibility for changes made to this message > or attachments after transmission from the Ministry. > > ------------------------------- > ------------------------------- This email and any attachments may contain information that is confidential and subject to legal privilege. If you are not the intended recipient, any use, dissemination, distribution or duplication of this email and attachments is prohibited. If you have received this email in error please notify the author immediately and erase all copies of the email and attachments. The Ministry of Social Development accepts no responsibility for changes made to this message or attachments after transmission from the Ministry. -------------------------------
