When using server side form validation the validation process occurs before the security identification and restriction. If I am not logged into a site and just call an API that has security restrict and server side validation the form returns the needed form field names. While form field names are not a huge issue it allows someone to run a script against a site gathering all the form field names for your site rather quickly to aid in XSS attacks. Would it not be preferred to run the security modules first before anything else, server side validation for example?
Why would you have a security restrict step in a server action having a login form? How would you restrict by identity if the user is not logged in?
Security restrict step is used when you want to protect server actions, which require specific user permissions or a logged in user.
Can you maybe post a screenshot of your server action steps, so that we can see what you're doing?
It's not. Lets say I have an change password API that has a security restrict in it. If I, without being currently logged in, just call that API directly and that API has server side validation I will get a response of {"form":{"Password1":"New password is required"}}, for example.
1 Like
Is it possible you are validating inside the input properties menu?
That is the only clue I would have for this happening.
Maybe to prevent this, try the validate data component from the component selection and validate your data after the security restrict.
Still, you're right. I don't know if this is by accident or intended this way.