# 2.4.10

## Overview

 * Security: Undefined `$allowed_actions` overrides parent definitions
 * API: More restrictive `$allowed_actions` checks for `Controller` when used with `Extension`

## Details

### Security: Undefined `$allowed_actions` overrides parent definitions

Severity: Important

Description: `Controller` (and subclasses) failed to enforce `$allowed_action` restrictions
on parent classes if a child class didn't have it explicitly defined.

Impact: Depends on the used controller code. For any method with public visibility,
the flaw can expose the return value of the method (unless it fails due to wrong arguments).
It can also lead to unauthorized or unintended execution of logic, e.g. modifying the
state of a database record.

Fix: Apply the 2.4.10 update. In addition, we strongly recommend to define `$allowed_actions`
on all controller classes to ensure the intentions are clearly communicated.

### API: More restrictive `$allowed_actions` checks for `Controller` when used with `Extension`

Controllers which are extended with `$allowed_actions` (through an `Extension`)
now deny access to methods defined on the controller, unless this class also has them in its own
`$allowed_actions` definition.

## Upgrading