Project

General

Profile

Bug #9692

system_authservers.php: Descriptive name can be changed by removing read-only property via inspect element

Added by Alex Z 3 months ago. Updated 3 months ago.

Status:
Feedback
Priority:
Very Low
Assignee:
Category:
User Manager / Privileges
Target version:
Start date:
08/21/2019
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.4-p3
Affected Architecture:

Description

Steps to reproduce:

  • Go to System -> User Mgmt -> Authentication Servers
  • Edit an existing entry
  • Open source code of the webpage in the browser's dev-tools and manipulate the value of the first field "Descriptive name"
  • Click save

Expected behavior:
Descriptive name should not change

Current behavior:
Descriptive name is changed to whatever was entered in the source code view

Associated revisions

Revision 24c4275d (diff)
Added by Jim Pingle 3 months ago

Add auth server name change input validation. Fixes #9692

Revision 695c5d51 (diff)
Added by Jim Pingle 3 months ago

Add auth server name change input validation. Fixes #9692

(cherry picked from commit 24c4275d7882352330fafd517fc948cba27bb979)

History

#1 Updated by Jim Pingle 3 months ago

  • Subject changed from System -> User Mgmt -> Authentication Servers: read-only field may be manipulated to system_authservers.php: Descriptive name can be changed by removing read-only property via inspect element
  • Category set to User Manager / Privileges
  • Assignee set to Jim Pingle
  • Priority changed from Low to Very Low
  • Target version set to 2.5.0

We can fix this, but it's not really what I'd consider a bug. We disable the field so the user can't do that easily and break places that have the server selected. There is only so much we can do to prevent a user from shooting their feet in places like this.

#2 Updated by Alex Z 3 months ago

I only figured this out because an auto-fill addon of the browser filled in that particular field, so yes I dont consider this critical as well..

I would recommend not to send the value of that field when the save button is pressed to prevent it beeing modified.

#3 Updated by Jim Pingle 3 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

Also available in: Atom PDF