Project

General

Profile

Bug #9692

system_authservers.php: Descriptive name can be changed by removing read-only property via inspect element

Added by Alex Z 27 days ago. Updated 21 days ago.

Status:
Feedback
Priority:
Very Low
Assignee:
Category:
User Manager / Privileges
Target version:
Start date:
08/21/2019
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.4-p3
Affected Architecture:

Description

Steps to reproduce:

  • Go to System -> User Mgmt -> Authentication Servers
  • Edit an existing entry
  • Open source code of the webpage in the browser's dev-tools and manipulate the value of the first field "Descriptive name"
  • Click save

Expected behavior:
Descriptive name should not change

Current behavior:
Descriptive name is changed to whatever was entered in the source code view

Associated revisions

Revision 24c4275d (diff)
Added by Jim Pingle 21 days ago

Add auth server name change input validation. Fixes #9692

Revision 695c5d51 (diff)
Added by Jim Pingle 21 days ago

Add auth server name change input validation. Fixes #9692

(cherry picked from commit 24c4275d7882352330fafd517fc948cba27bb979)

History

#1 Updated by Jim Pingle 27 days ago

  • Subject changed from System -> User Mgmt -> Authentication Servers: read-only field may be manipulated to system_authservers.php: Descriptive name can be changed by removing read-only property via inspect element
  • Category set to User Manager / Privileges
  • Assignee set to Jim Pingle
  • Priority changed from Low to Very Low
  • Target version set to 2.5.0

We can fix this, but it's not really what I'd consider a bug. We disable the field so the user can't do that easily and break places that have the server selected. There is only so much we can do to prevent a user from shooting their feet in places like this.

#2 Updated by Alex Z 26 days ago

I only figured this out because an auto-fill addon of the browser filled in that particular field, so yes I dont consider this critical as well..

I would recommend not to send the value of that field when the save button is pressed to prevent it beeing modified.

#3 Updated by Jim Pingle 21 days ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

Also available in: Atom PDF