#29 BUG: system methods must not be treated as controller action

[Christian Vega]

All methods used by controller base classes are prefixed with double-underscore (e.g., initialize, call, etc), but this does not make it safe from direct calling from the URL, hence the controller loader must check if the action is prefixed by double-underscore, and if so, do not call it.