Here is the proposal for so called "safe actions filter" on Openbiz 2.4. This will be released in the 2.4 SVN before Feb.
First, only Form object method calls from browser are allowed. Other objects method calls are blocked by the controller.
Second, EadyForm class will have a new method
public function getMethodsWhiteList()
This method returns a list of methods that are exposed to browser client. By default EasyForm will compose the list with:
- All methods that are defined in the form metadata EventHandlers. Say you have 2 EventHandlers of 2 button elements on user.AccountForm. They link to methods "editAccount" and "resetPassword". Then only these 2 methods are in the white list.
- Some safe methods like "selectRecord" which is usually not linking to a event handler.
getMethodsWhiteList() can be overrided by your any form class to implement custom logic.