Creating Unit-Tests with public Actions

Hello together,

Unittests form the basis for meaningful quality assurance. 

Therefore I would like to introduce the BDD framework. 

For this, the actions of the AUT must be set to Public.

Is this a security risk and if so how can this be secured?


Hello Dominik,

Setting your actions to Public means they can be consumed and reused by other OutSystems modules - this can cause some architectural issues if those actions are consumed in inappropriate modules, but setting them to public by itself is not a security risk.

If you're building a reactive application and expose a Server action in an anonymous screen, that action will be exposed as a public REST API - this can be a liability depending on what your action does, but Service Studio will properly warn you of these cases.

Hi Afonso, 
thank you for the response.

So quite similar to public classes etc. in programming. 

Public means only public within Outsystems.


Mostly correct, but I have to apologize - please read my post again, as I forgot to mention the reactive usecase and had to edit it. It's a narrow exception, but it may be applicable to your situation.

Ok thank you very much for explanation. 

But then this concerns only server actions and the client actions are not affected. 

If I understand it correctly the system will then notify me if I expose a server action and like a REST API, the API Access can also be secured?


Yes, Studio will notify you of these specific cases. You can secure those actions by adding validations to them, and ensuring that if they must remain public, that they do not expose any sensitive information or allow users to write arbitrary data.


Hi Dominik,

It is not persé a security risk. However, we define server actions normally only public if they need to be consumed by other modules. Now, if you would make a private server action public just for testing. It will impact the outcome of seeing where your public (private) action is used. Furthermore, developers might start defining references to it, which they should not do.

This is what I did in the past:

  1. Copy the private server action to service action
  2. Rename the service action to <server action name>_Test
  3. Replace the logic in the service action by a call to the server action
  4. Make sure to map the output parameters of the server action to the output parameters of the service action.

What do you achieve with the above:

  1. The server action can stay private, impact analysis is simple, only within the module
  2. The server action can stay private, thus it cannot unintentionally be referenced and consumed.
  3. Using a naming convention on the ServiceAction it is clear this action is ment for testing, it could unintentionally be called, but calling a _Test action in production code should be an easy red flag during code review.
  4. Using service action, you now have a less tightly coupled test, meaning that the module with the BDD test doesn't need to be refreshed and republished every time the server action changes. Only with an additional mandatory input or output parameter on the server action, you would need to republish your test, as it would also affect the input and output parameters of the service action.



Thanks for the help and the idea to implement it this way.

I think this may be a good way to implement unit tests in Outsystems. 

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.