Hi, Maybe I'm wrong but for AJAX only logged in user could get that REQUEST to work because it is page relative. Or am I completely wrong?
On Thu, Feb 1, 2018 at 10:45 PM, Carl-Eric Menzel <[email protected]> wrote: > Hi, > > I've just encountered an interesting oddity. For a normal form submission, > there is Form#onMethodMismatch where I can decide what should happen if > somebody calls the form's URL with a GET request rather than the usual > POST. At least in 6.x and 7.x this is called from onFormSubmitted() - but > not from onFormSubmitted(submitter). > > The result is that for forms that have an ajax button and thus a valid > submitter, I can't stop somebody building a GET request and firing that > against the button's URL. Theoretically I could override > AjaxFormSubmitBehavior's onEvent method, but that doesn't work for ajax > buttons, which build their own AjaxFormSubmitBehavior. > > On one of my current projects the customer is quite security-minded and > would like the application to block these GET requests. My question is: Is > it intentional that only the regular onFormSubmitted() method checks this? > If yes, I'd like to know the reasoning please. If not, I'm going to write a > patch to fix this. > > Or maybe I'm missing something and am going the wrong way entirely. In > that case, let me know please. > > Carl-Eric > -- Regards - Ernesto Reinaldo Barreiro
