Creating Unit-Tests with public Actions

Setting your actions to Public means they can be consumed and reused by other OutSystems modules - this can cause some architectural issues if those actions are consumed in inappropriate modules, but setting them to public by itself is not a security risk.

If you're building a reactive application and expose a Server action in an anonymous screen, that action will be exposed as a public REST API - this can be a liability depending on what your action does, but Service Studio will properly warn you of these cases.

13 days ago

4 replies

Last reply 13 days ago

Show thread

Hide thread

Dominik Kowatsch

Hi Afonso,
thank you for the response.

So quite similar to public classes etc. in programming.

Public means only public within Outsystems.

13 days ago

Afonso Carvalho

mvp_badge

MVP

Replying to Dominik Kowatsch's comment on 02 Aug 2022 13:38:15

Mostly correct, but I have to apologize - please read my post again, as I forgot to mention the reactive usecase and had to edit it. It's a narrow exception, but it may be applicable to your situation.

13 days ago

Dominik Kowatsch

Replying to Afonso Carvalho's comment on 02 Aug 2022 13:45:18

Ok thank you very much for explanation.

But then this concerns only server actions and the client actions are not affected.

If I understand it correctly the system will then notify me if I expose a server action and like a REST API, the API Access can also be secured?

13 days ago

Afonso Carvalho

mvp_badge

MVP

Replying to Dominik Kowatsch's comment on 02 Aug 2022 13:57:27

Yes, Studio will notify you of these specific cases. You can secure those actions by adding validations to them, and ensuring that if they must remain public, that they do not expose any sensitive information or allow users to write arbitrary data.

13 days ago

Daniël Kuhlmann

mvp_badge

MVP

Hi Dominik,

It is not persé a security risk. However, we define server actions normally only public if they need to be consumed by other modules. Now, if you would make a private server action public just for testing. It will impact the outcome of seeing where your public (private) action is used. Furthermore, developers might start defining references to it, which they should not do.

This is what I did in the past:

Copy the private server action to service action
Rename the service action to <server action name>_Test
Replace the logic in the service action by a call to the server action
Make sure to map the output parameters of the server action to the output parameters of the service action.

What do you achieve with the above:

The server action can stay private, impact analysis is simple, only within the module
The server action can stay private, thus it cannot unintentionally be referenced and consumed.
Using a naming convention on the ServiceAction it is clear this action is ment for testing, it could unintentionally be called, but calling a _Test action in production code should be an easy red flag during code review.
Using service action, you now have a less tightly coupled test, meaning that the module with the BDD test doesn't need to be refreshed and republished every time the server action changes. Only with an additional mandatory input or output parameter on the server action, you would need to republish your test, as it would also affect the input and output parameters of the service action.

Regards,

Daniel

13 days ago

1 reply

12 days ago

Show thread

Hide thread

Dominik Kowatsch

Thanks for the help and the idea to implement it this way.

I think this may be a good way to implement unit tests in Outsystems.

12 days ago

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.

See the full guidelines