Currently, the "/xas" requests can't be overridden using Core.addRequestHandler() method.
But there should be an option to override the "/xas" requests, either via java action.
Hi Andries,
This limitation is a type of threat to Mendix apps.
In of the project which we were working, this limitation was a road blocker for us.
Suppose a scenario where an entity has more than 200k records. This application is a kind of analytical application. So, user needs access to whole objects. So, reading permission is granted for this entity.
As a part of one of the pen testing, testers identified that modifying the "/xas" request from postman can hurt the entire app. This can be done by adding action as "retrieve_by_xpath" and providing xpath to retrieve all data. So, the client is requesting all data at a time.
In a normal scenario, this is not a valid scenario where we already implemented the pagination.
But this attacking scenario, is a vulnerable thing.
The logic behind this should be, the server should reject if such xas request is coming.
This is not feasible as of now.
See the forum post for this scenario;
https://community.mendix.com/link/space/xpath/questions/141514
Could you please explain why you need this? What would you like to achieve and what business value does this feature bring?