Fixed potential bug that allows actions to be called directly by including the Action suffix, thereby bypassing the before filter

Author: daveh

Core/Router.php

@@ -117,11 +117,11 @@ public function dispatch($url)
                 $action = $this->params['action'];
                 $action = $this->convertToCamelCase($action);
 
-                if (is_callable([$controller_object, $action])) {
+                if (preg_match('/action$/i', $action) == 0) {
                     $controller_object->$action();
 
                 } else {
-                    throw new \Exception("Method $action (in controller $controller) not found");
+                    throw new \Exception("Method $action in controller $controller cannot be called directly - remove the Action suffix to call this method");
                 }
             } else {
                 throw new \Exception("Controller class $controller not found");