Issue 7257

user can remove readonly attribute when we use dynamic states and bypass restrictions model
Enforce readonly on field (issue 4207)
Nosy list
bch, ced, nicoe, pokoli, sharkcz, wise, yangoon
Assigned to

Created on 2018-03-23.17:59:01 by wise, last changed 50 months ago by ced.


Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2018-03-26.22:01:00
So I mark as invalid.
Author: [hidden] (pokoli) Tryton committer Tryton translator
Date: 2018-03-24.11:36:16
I agree that should invalidate it. The way to improve it is by implementing issue4207
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2018-03-23.18:33:02
For me, it is not a security issue because it is a behavior (or more an "non-behavior") that is known with issue4207.
There are many places in modules where specific code is written to enforce a kind of "readonly".
Also the field access already exists if someone wants to restrict it.

Side note, it is not linked to sao at all because it is not the client that should enforce the access rights.

So I'm in favor of invalidating this issue.
Author: [hidden] (wise)
Date: 2018-03-23.17:59:01
Steps to reproduce

I create a party as the screenshot
I remove readonly attribute on field (implemented readonly on states) from html
I change the code party and save change
Treeview after save change

Someone with some technical knowledge on html can remove readonly attribute and bypass restrictions model when we use dynamic states.
Date User Action Args
2018-03-26 22:01:00cedsetstatus: chatting -> invalid
messages: + msg39434
2018-03-24 11:36:17pokolisetmessages: + msg39312
2018-03-23 18:33:03cedsetstatus: unread -> chatting
component: + trytond, - sao
superseder: + Enforce readonly on field
messages: + msg39284
2018-03-23 17:59:01wisecreate

Showing 10 items. Show all history (warning: this could be VERY long)