You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Enforce read-only mode on HTTP method, not just allowableActions
Dev QA caught a bypass: the allowableActions gate lives inside the base
ModelController action methods, but controllers that override them (e.g.
KytePasswordResetController::new) never re-check — so the mode-1
read-only intersect was silently bypassed and an anonymous POST executed.
ModelController::init() now throws for any non-GET app_context request
when allow_public=1, before any action method can run. The intersect
stays as defense in depth for base-class actions.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
0 commit comments