Issue 7257

Title
user can remove readonly attribute when we use dynamic states and bypass restrictions model
Priority
bug
Status
invalid
Superseder
Enforce readonly on field (issue 4207)
Nosy list
bch, ced, nicoe, pokoli, sharkcz, wise, yangoon
Assigned to
Keywords

Created on 2018-03-23.17:59:01 by wise, last changed 43 months ago by ced.

Messages

Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2018-03-26.22:01:00
So I mark as invalid.
Author: [hidden] (pokoli) Tryton committer Tryton translator
Date: 2018-03-24.11:36:16
I agree that should invalidate it. The way to improve it is by implementing issue4207
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2018-03-23.18:33:02
For me, it is not a security issue because it is a behavior (or more an "non-behavior") that is known with issue4207.
There are many places in modules where specific code is written to enforce a kind of "readonly".
Also the field access already exists if someone wants to restrict it.

Side note, it is not linked to sao at all because it is not the client that should enforce the access rights.

So I'm in favor of invalidating this issue.
Author: [hidden] (wise)
Date: 2018-03-23.17:59:01
Steps to reproduce

I create a party as the screenshot https://pasteboard.co/HdfGj0t.png
I remove readonly attribute on field (implemented readonly on states) from html https://pasteboard.co/HdfGvxQ.png
I change the code party and save change https://pasteboard.co/HdfGE0Y.png
Treeview after save change https://pasteboard.co/HdfGTcY.png

Someone with some technical knowledge on html can remove readonly attribute and bypass restrictions model when we use dynamic states.
History
Date User Action Args
2018-03-26 22:01:00cedsetstatus: chatting -> invalid
messages: + msg39434
2018-03-24 11:36:17pokolisetmessages: + msg39312
2018-03-23 18:33:03cedsetstatus: unread -> chatting
component: + trytond, - sao
superseder: + Enforce readonly on field
messages: + msg39284
2018-03-23 17:59:01wisecreate

Showing 10 items. Show all history (warning: this could be VERY long)