Bypassing read-only: Inline field editing

Posted by matman on 22-Sep-2014 07:45

"This field allows inline editing from view pages by clicking on icon" now I'm not really sure if this can be exploited, but I'll explain what I discovered. When setting a field to "Read Only" on the "Edit" page, a user cannot edit the field, not even by editing the source code to match the code of an editable field.

Apparently that last thing is possible on the "View" page. I edited the source code to match the code of an inline editable field. The only thing I really had to change was the name: from "box" to "email". After editing I simply checked my checkbox and pressed save, storing the check succesfully.

All Replies

Posted by Sven Cuypers on 24-Sep-2014 09:16
Hi,

Can you provide some more information in regards to 'I edited the source code to match the code of an inline editable field.'
Can you include some step by step instructions on how you succeeded to edit a read only field ?

Thanks,
Sven
Posted by matman on 24-Sep-2014 09:40

I took the HTML of an inline editable field:

<td class="rbs_leftDataCol" id="rbi_F_web01_box" onmouseover="rbf_inline(true, 'web01_box');" onmouseout="rbf_inline(false, 'web01_box');">
	<table border="0" cellpadding="0" cellspacing="0">
		<tbody>
			<tr height="16">
				<td>
					<img src="https://www.rollbase.com/prod1/images/notchecked.png" border="0" height="16" width="17">
				</td>
				<td valign="top">
					&nbsp;&nbsp;
					<img style='margin-top:-4px;cursor:pointer;' id='rbi_I_web01_box' src='../images/pencil_no.gif' onclick='return rbf_start(109548444, '109551234', 'web01_box', 'web01_box');' align='absmiddle' height='12' width='14'>
				</td>
			</tr>
		</tbody>
	</table>
</td>


And changed it so it would match the HTML of a non-inline editable field:

<td class="rbs_leftDataCol" id="rbi_F_web01_email" onmouseover="rbf_inline(true, 'web01_email');" onmouseout="rbf_inline(false, 'web01_email');">
	<table border="0" cellpadding="0" cellspacing="0">
		<tbody>
			<tr height="16">
				<td>
					<img src="https://www.rollbase.com/prod1/images/notchecked.png" border="0" height="16" width="17">
				</td>
				<td valign="top">
					&nbsp;&nbsp;
					<img style='margin-top:-4px;cursor:pointer;' id='rbi_I_web01_email' src='../images/pencil_no.gif' onclick='return rbf_start(109548444, '109551234', 'web01_email', 'web01_email');' align='absmiddle' height='12' width='14'>
				</td>
			</tr>
		</tbody>
	</table>
</td>


And now it's possible to inline-edit a field that's not-inline editable. The same trick isn't possible with read-only fields on the Edit page though.

Posted by matman on 30-Sep-2014 08:23

Isn't this a security gap? This way a user could edit a field that would be read-only on every edit page.

Posted by Sven Cuypers on 30-Sep-2014 09:33
Hi,

This indeed looks like a defect to me. Let me try to reproduce and I'll report it to DEV.

Cheers,
Sven
Posted by Sven Cuypers on 03-Oct-2014 10:30
Hi,

I have created defect PSC00315585 to get this fixed.

Kind regards,
Sven
Posted by pvorobie on 03-Oct-2014 11:35

This is misunderstanding: there is no "read only" property for View pages. So there is no reason for defect.

If you don't want field to be editable inline - uncheck "This field allows inline editing from view pages" box on Field Edit page.

Posted by Yuriy Kupershmidt on 03-Oct-2014 12:16
I think that matman managed to change a value of the field which did not allow inline editing. Am I wrong?
 
[collapse]
From: pvorobie [mailto:bounce-pvorobie@community.progress.com]
Sent: Friday, October 03, 2014 12:36 PM
To: TU.Rollbase@community.progress.com
Subject: RE: [Technical Users - Rollbase] Bypassing read-only: Inline field editing
 
Reply by pvorobie

This is misunderstanding: there is no "read only" property for View pages. So there is no reason for defect.

If you don't want field to be editable inline - uncheck "This field allows inline editing from view pages" box on Field Edit page.

Stop receiving emails on this subject.

Flag this post as spam/abuse.

[/collapse]
Posted by pvorobie on 03-Oct-2014 12:58

Original post says nothing about disabling Inline editing

Posted by matman on 06-Oct-2014 01:58

I didn't say it that explicitly, but what Yuriy said is what I meant. When disabling inline field editing, I'm still able to inline-edit the field by changing the source code.

Posted by Sven Cuypers on 23-Mar-2015 07:19
Hi,

Rollbase 3.2 Private and Hosted Cloud have been released last weekend.
As you can see on https://www.progress.com/products/rollbase/content/whats-new/release-notes/release-3-2-0, the issue you reported has been fixed.

Kind regards,
Sven
This thread is closed