No, it can't. An advantage of JSF is because it keeps the component tree on the server (and applies the values from the request to it), the button must be present on the page for the action to be called.
So, if the button is present on the form, and the button has an action on it, the database can only be altered if the action is called? I'm asking to be uber-clear on this because it has such big security implications for me to make sure I'm understanding it.
You would need to check the JSF spec and implementation to make completely sure. But IIRC, no.
So it seems pretty dangerous to have any field which needs to be checked in a form using a a4j:commandButton. If there's a way to bypass the action of that a4j:commandButton. I can think of many instances where I have some important constraint that's too complex to express in a validation annotation, and I need to make sure that some method gets called before the change gets committed to the DB.
Am I asking the right question here? If so, what's a solution for this?