Ok. But does that posses a real security issue? i.e not logged used triggering a click on "that" button that does not exists for them?
On Fri, Feb 2, 2018 at 3:36 PM, Carl-Eric Menzel <cmen...@wicketbuch.de> wrote: > You're not wrong, but I'd still like to be able to block GET. And the > other question is *why* this check isn't done for forms with submit > components (I haven't tried it, but I suspect using a regular button > rather than an ajax button would run into the same issue). > > On Fri, Feb 2, 2018, at 14:45, Ernesto Reinaldo Barreiro wrote: > > Hi, > > > > Maybe I'm wrong but for AJAX only logged in user could get that > > REQUEST to> work because it is page relative. Or am I completely wrong? > > > > On Thu, Feb 1, 2018 at 10:45 PM, Carl-Eric Menzel > > <cmen...@wicketbuch.de>> wrote: > > > >> Hi, > >> > >> I've just encountered an interesting oddity. For a normal form > >> submission,>> there is Form#onMethodMismatch where I can decide what > should > >> happen if>> somebody calls the form's URL with a GET request rather than > >> the usual>> POST. At least in 6.x and 7.x this is called from > >> onFormSubmitted() - but>> not from onFormSubmitted(submitter). > >> > >> The result is that for forms that have an ajax button and thus > >> a valid>> submitter, I can't stop somebody building a GET request and > >> firing that>> against the button's URL. Theoretically I could override > >> AjaxFormSubmitBehavior's onEvent method, but that doesn't work > >> for ajax>> buttons, which build their own AjaxFormSubmitBehavior. > >> > >> On one of my current projects the customer is quite security- > >> minded and>> would like the application to block these GET requests. My > >> question is: Is>> it intentional that only the regular > onFormSubmitted() method > >> checks this?>> If yes, I'd like to know the reasoning please. If not, > I'm going to > >> write a>> patch to fix this. > >> > >> Or maybe I'm missing something and am going the wrong way > >> entirely. In>> that case, let me know please. > >> > >> Carl-Eric > >> > > > > > > > > -- > > Regards - Ernesto Reinaldo Barreiro > > -- Regards - Ernesto Reinaldo Barreiro
