Hello together,
Unittests form the basis for meaningful quality assurance.
Therefore I would like to introduce the BDD framework.
For this, the actions of the AUT must be set to Public.
Is this a security risk and if so how can this be secured?
Hello Dominik,
Setting your actions to Public means they can be consumed and reused by other OutSystems modules - this can cause some architectural issues if those actions are consumed in inappropriate modules, but setting them to public by itself is not a security risk.
If you're building a reactive application and expose a Server action in an anonymous screen, that action will be exposed as a public REST API - this can be a liability depending on what your action does, but Service Studio will properly warn you of these cases.
Hi Afonso, thank you for the response.
So quite similar to public classes etc. in programming.
Public means only public within Outsystems.
Mostly correct, but I have to apologize - please read my post again, as I forgot to mention the reactive usecase and had to edit it. It's a narrow exception, but it may be applicable to your situation.
Ok thank you very much for explanation.
But then this concerns only server actions and the client actions are not affected.
If I understand it correctly the system will then notify me if I expose a server action and like a REST API, the API Access can also be secured?
Yes, Studio will notify you of these specific cases. You can secure those actions by adding validations to them, and ensuring that if they must remain public, that they do not expose any sensitive information or allow users to write arbitrary data.
Hi Dominik,
It is not persé a security risk. However, we define server actions normally only public if they need to be consumed by other modules. Now, if you would make a private server action public just for testing. It will impact the outcome of seeing where your public (private) action is used. Furthermore, developers might start defining references to it, which they should not do.
This is what I did in the past:
What do you achieve with the above:
Regards,
Daniel
Thanks for the help and the idea to implement it this way.
I think this may be a good way to implement unit tests in Outsystems.