ISIS-883 and ISIS-884 now fixed in 1.7.0-SNAPSHOT; please see comments for ISIS-883 [1] and commit message for ISIS-884 [2]
[1] https://issues.apache.org/jira/browse/ISIS-883?focusedCommentId=14131180&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14131180 [2] https://issues.apache.org/jira/browse/ISIS-884?focusedCommentId=14130042&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14130042 On 10 September 2014 15:47, Dan Haywood <[email protected]> wrote: > OK, thanks Christopher. > > I've raised a ticket for this [1] (and one also for the other thread [2]). > > Please add to if there's anything missing/extra useful info. > > Dan > > [1] https://issues.apache.org/jira/browse/ISIS-883 > [2] https://issues.apache.org/jira/browse/ISIS-884 > > > On 9 September 2014 22:11, Christopher Fairhall < > [email protected]> wrote: > >> On Tuesday, 9 September 2014 8:07 p.m. Dan Haywood < >> [email protected]> wrote: >> >> > A minor point (not that this negates the fact that a fix is needed to >> Isis)... only query-only actions, >> > ie those that are declared to have no side-effects using >> @ActionSemantics(Of.SAFE actions, >> > are bookmarkable. So if you have a bookmarked action that is creating >> objects, then you ought >> > to adjust its action semantics. In your particular case this might be >> a workaround to the security >> > risk that's been flagged. >> >> We haven’t used @ActionSemantics(Of.SAFE) on the create methods, only the >> query methods. >> I believe the default is Of.NON_IDEMPOTENT >> >> It's not the invocation that's being accessed by the bookmarkable URL, >> it's the form to enter the parameters. >> Clicking the "OK" button on that form invokes the method. >> The actual URL that causes the method invocation is >> POST >> http://localhost:7001/rma/wicket/wicket/page?1-1.IFormSubmitListener-action-parameters-inputForm >> with a standard x-www-form-urlencoded post body. >> >> On 8 September 2014 21:32, Christopher Fairhall < >> [email protected]> wrote: >> >> > On Monday, 8 September 2014 6:44 p.m. Dan Haywood < >> > [email protected]> wrote: >> > >> > > >> > > Is the URL for an entity? Or the URL for a (query) action? >> > >> > I'm talking about bookmarkable URL's in the format >> > http://localhost:7001/rma/wicket/wicket/bookmarkable/<Page class >> > name>?pageType=ACTION&actionSingleResultsMode=REDIRECT&objectOid=<clas >> > name>s :1&actionType=USER&actionOwningSpec=<class >> > name>name>&actionId=<method >> > description>&pageTitle=<page title>&actionMode=PARAMETERS >> > >> > It allows the execution of the method. >> > >> > Calling via the restfulobjects API >> > /resultful/services/<serviceName>/actions/<methodName>/invoke >> > Fails with a 404 as expected when logging in with a user that has no >> > access. >> > >> > >> > >> > > If the URL you are pasting in is for a query action, and it is >> > > firing, >> > then you have indeed found an issue. >> > >> > Our security tester managed to call a method that created new entities. >> > >> > ------------------------------- >> > This email and any attachments may contain information that is >> > confidential and subject to legal privilege. If you are not the >> > intended recipient, any use, dissemination, distribution or >> > duplication of this email and attachments is prohibited. If you have >> > received this email in error please notify the author immediately and >> > erase all copies of the email and attachments. The Ministry of Social >> > Development accepts no responsibility for changes made to this message >> > or attachments after transmission from the Ministry. >> > >> > ------------------------------- >> > >> >> ------------------------------- >> This email and any attachments may contain information that is >> confidential and subject to legal privilege. If you are not the intended >> recipient, any use, dissemination, distribution or duplication of this >> email and attachments is prohibited. If you have received this email in >> error please notify the author immediately and erase all copies of the >> email and attachments. The Ministry of Social Development accepts no >> responsibility for changes made to this message or attachments after >> transmission from the Ministry. >> >> ------------------------------- >> > >
