Bug #9692
closed
system_authservers.php: Descriptive name can be changed by removing read-only property via inspect element
100%
Description
Steps to reproduce:
- Go to System -> User Mgmt -> Authentication Servers
- Edit an existing entry
- Open source code of the webpage in the browser's dev-tools and manipulate the value of the first field "Descriptive name"
- Click save
Expected behavior:
Descriptive name should not change
Current behavior:
Descriptive name is changed to whatever was entered in the source code view
Updated by Jim Pingle over 4 years ago
- Subject changed from System -> User Mgmt -> Authentication Servers: read-only field may be manipulated to system_authservers.php: Descriptive name can be changed by removing read-only property via inspect element
- Category set to User Manager / Privileges
- Assignee set to Jim Pingle
- Priority changed from Low to Very Low
- Target version set to 2.5.0
We can fix this, but it's not really what I'd consider a bug. We disable the field so the user can't do that easily and break places that have the server selected. There is only so much we can do to prevent a user from shooting their feet in places like this.
Updated by Alex Z over 4 years ago
I only figured this out because an auto-fill addon of the browser filled in that particular field, so yes I dont consider this critical as well..
I would recommend not to send the value of that field when the save button is pressed to prevent it beeing modified.
Updated by Jim Pingle over 4 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 24c4275d7882352330fafd517fc948cba27bb979.
Updated by Jim Pingle over 4 years ago
- Target version changed from 2.5.0 to 2.4.5
Updated by Jim Pingle over 4 years ago
- Status changed from Feedback to Resolved
Changes are rejected when attempted in this manner on 2.4.5.a.20191217.0637