OK, thanks Christopher. I've raised a ticket for this [1] (and one also for the other thread [2]).
Please add to if there's anything missing/extra useful info. Dan [1] https://issues.apache.org/jira/browse/ISIS-883 [2] https://issues.apache.org/jira/browse/ISIS-884 On 9 September 2014 22:11, Christopher Fairhall < [email protected]> wrote: > On Tuesday, 9 September 2014 8:07 p.m. Dan Haywood < > [email protected]> wrote: > > > A minor point (not that this negates the fact that a fix is needed to > Isis)... only query-only actions, > > ie those that are declared to have no side-effects using > @ActionSemantics(Of.SAFE actions, > > are bookmarkable. So if you have a bookmarked action that is creating > objects, then you ought > > to adjust its action semantics. In your particular case this might be a > workaround to the security > > risk that's been flagged. > > We haven’t used @ActionSemantics(Of.SAFE) on the create methods, only the > query methods. > I believe the default is Of.NON_IDEMPOTENT > > It's not the invocation that's being accessed by the bookmarkable URL, > it's the form to enter the parameters. > Clicking the "OK" button on that form invokes the method. > The actual URL that causes the method invocation is > POST > http://localhost:7001/rma/wicket/wicket/page?1-1.IFormSubmitListener-action-parameters-inputForm > with a standard x-www-form-urlencoded post body. > > On 8 September 2014 21:32, Christopher Fairhall < > [email protected]> wrote: > > > On Monday, 8 September 2014 6:44 p.m. Dan Haywood < > > [email protected]> wrote: > > > > > > > > Is the URL for an entity? Or the URL for a (query) action? > > > > I'm talking about bookmarkable URL's in the format > > http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class > > name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<clas > > name>s :1&actionType=USER&actionOwningSpec=<class > > name>name>&actionId=<method > > description>&pageTitle=<page title>&actionMode=PARAMETERS > > > > It allows the execution of the method. > > > > Calling via the restfulobjects API > > /resultful/services/<serviceName>/actions/<methodName>/invoke > > Fails with a 404 as expected when logging in with a user that has no > > access. > > > > > > > > > If the URL you are pasting in is for a query action, and it is > > > firing, > > then you have indeed found an issue. > > > > Our security tester managed to call a method that created new entities. > > > > ------------------------------- > > This email and any attachments may contain information that is > > confidential and subject to legal privilege. If you are not the > > intended recipient, any use, dissemination, distribution or > > duplication of this email and attachments is prohibited. If you have > > received this email in error please notify the author immediately and > > erase all copies of the email and attachments. The Ministry of Social > > Development accepts no responsibility for changes made to this message > > or attachments after transmission from the Ministry. > > > > ------------------------------- > > > > ------------------------------- > This email and any attachments may contain information that is > confidential and subject to legal privilege. If you are not the intended > recipient, any use, dissemination, distribution or duplication of this > email and attachments is prohibited. If you have received this email in > error please notify the author immediately and erase all copies of the > email and attachments. The Ministry of Social Development accepts no > responsibility for changes made to this message or attachments after > transmission from the Ministry. > > ------------------------------- >
