Bypassing read-only: Inline field editing - Forum - Rollbase - Progress Community

Bypassing read-only: Inline field editing

 Forum

Bypassing read-only: Inline field editing

  • "This field allows inline editing from view pages by clicking on icon" now I'm not really sure if this can be exploited, but I'll explain what I discovered. When setting a field to "Read Only" on the "Edit" page, a user cannot edit the field, not even by editing the source code to match the code of an editable field.

    Apparently that last thing is possible on the "View" page. I edited the source code to match the code of an inline editable field. The only thing I really had to change was the name: from "box" to "email". After editing I simply checked my checkbox and pressed save, storing the check succesfully.

  • Hi,

    Can you provide some more information in regards to 'I edited the source code to match the code of an inline editable field.'
    Can you include some step by step instructions on how you succeeded to edit a read only field ?

    Thanks,
    Sven
  • I took the HTML of an inline editable field:

    <td class="rbs_leftDataCol" id="rbi_F_web01_box" onmouseover="rbf_inline(true, 'web01_box');" onmouseout="rbf_inline(false, 'web01_box');">
    	<table border="0" cellpadding="0" cellspacing="0">
    		<tbody>
    			<tr height="16">
    				<td>
    					<img src="https://www.rollbase.com/prod1/images/notchecked.png" border="0" height="16" width="17">
    				</td>
    				<td valign="top">
    					&nbsp;&nbsp;
    					<img style='margin-top:-4px;cursor:pointer;' id='rbi_I_web01_box' src='../images/pencil_no.gif' onclick='return rbf_start(109548444, '109551234', 'web01_box', 'web01_box');' align='absmiddle' height='12' width='14'>
    				</td>
    			</tr>
    		</tbody>
    	</table>
    </td>


    And changed it so it would match the HTML of a non-inline editable field:

    <td class="rbs_leftDataCol" id="rbi_F_web01_email" onmouseover="rbf_inline(true, 'web01_email');" onmouseout="rbf_inline(false, 'web01_email');">
    	<table border="0" cellpadding="0" cellspacing="0">
    		<tbody>
    			<tr height="16">
    				<td>
    					<img src="https://www.rollbase.com/prod1/images/notchecked.png" border="0" height="16" width="17">
    				</td>
    				<td valign="top">
    					&nbsp;&nbsp;
    					<img style='margin-top:-4px;cursor:pointer;' id='rbi_I_web01_email' src='../images/pencil_no.gif' onclick='return rbf_start(109548444, '109551234', 'web01_email', 'web01_email');' align='absmiddle' height='12' width='14'>
    				</td>
    			</tr>
    		</tbody>
    	</table>
    </td>


    And now it's possible to inline-edit a field that's not-inline editable. The same trick isn't possible with read-only fields on the Edit page though.

  • Isn't this a security gap? This way a user could edit a field that would be read-only on every edit page.

  • Hi,

    This indeed looks like a defect to me. Let me try to reproduce and I'll report it to DEV.

    Cheers,
    Sven
  • Hi,

    I have created defect PSC00315585 to get this fixed.

    Kind regards,
    Sven
  • This is misunderstanding: there is no "read only" property for View pages. So there is no reason for defect.

    If you don't want field to be editable inline - uncheck "This field allows inline editing from view pages" box on Field Edit page.

  • I think that matman managed to change a value of the field which did not allow inline editing. Am I wrong?
     
    From: pvorobie [mailto:bounce-pvorobie@community.progress.com]
    Sent: Friday, October 03, 2014 12:36 PM
    To: TU.Rollbase@community.progress.com
    Subject: RE: [Technical Users - Rollbase] Bypassing read-only: Inline field editing
     
    Reply by pvorobie

    This is misunderstanding: there is no "read only" property for View pages. So there is no reason for defect.

    If you don't want field to be editable inline - uncheck "This field allows inline editing from view pages" box on Field Edit page.

    Stop receiving emails on this subject.

    Flag this post as spam/abuse.

  • Original post says nothing about disabling Inline editing

  • I didn't say it that explicitly, but what Yuriy said is what I meant. When disabling inline field editing, I'm still able to inline-edit the field by changing the source code.

  • Hi,

    Rollbase 3.2 Private and Hosted Cloud have been released last weekend.
    As you can see on https://www.progress.com/products/rollbase/content/whats-new/release-notes/release-3-2-0, the issue you reported has been fixed.

    Kind regards,
    Sven