Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Read-Only flag in CustomerCompany Map #65

Closed
bschmalhofer opened this issue Jun 3, 2020 · 3 comments
Closed

Read-Only flag in CustomerCompany Map #65

bschmalhofer opened this issue Jun 3, 2020 · 3 comments
Assignees
@bschmalhofer
Labels
bug Something isn't working as intended
Milestone
OTOBO 10.1.1

Comments

@bschmalhofer
Copy link
Contributor

I had a strange setup with additional fields in CustomerCompany. In the config these were marked as readonly. Consequently the additional fields could not be changed. Because of a direkt update in the table customer_company different values were shown in the GUI as were in the table. When updating in the GUI the values from the GUI were inserted in the table.

My guess is that the readonly fields were still POST input fields. And all it takes to make these fields writable is to use a Browser extension that make ro input fields writable. IMHO this is a security bug.
@svenoe
Copy link
Contributor

svenoe commented Jun 3, 2020

Confirmed. We have to introduce a server side check, probably in the module files.

@bschmalhofer bschmalhofer added the bug Something isn't working as intended label Jul 6, 2020
@bschmalhofer bschmalhofer added this to the OTOBO 10.1 milestone Jul 6, 2020
@bschmalhofer bschmalhofer changed the title Read-Only flag in Customer Map Read-Only flag in CustomerCompany Map Aug 21, 2020
@bschmalhofer
Copy link
Contributor Author

The readonly flag was not checked in AdminCustomerCompany.pm. The solution is to pass the old values for the readonly values.

@bschmalhofer bschmalhofer mentioned this issue Aug 21, 2020
Closed
bschmalhofer added a commit that referenced this issue Aug 21, 2020
@bschmalhofer
Issue #65: enhance code comments for plackup
16ed9f3
bschmalhofer added a commit that referenced this issue Aug 21, 2020
@bschmalhofer
Issue #65: remove an unused variable
1c04f7c
bschmalhofer added a commit that referenced this issue Aug 21, 2020
@bschmalhofer
Issue #65: fix an incorrect code comment
f9557f6
bschmalhofer added a commit that referenced this issue Aug 21, 2020
@bschmalhofer
Issue #65: use the old value for readonly CustomerCompany fields
04e947b
@bschmalhofer
Copy link
Contributor Author

Tested with Firefox Webdevelopper 'Make Form Fields Writeable' . Looks good. Closing the issue.

@bschmalhofer bschmalhofer self-assigned this Nov 28, 2021
@bschmalhofer bschmalhofer modified the milestones: OTOBO 10.1, OTOBO 10.1.1 Nov 28, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bschmalhofer bschmalhofer

Labels
bug Something isn't working as intended
Projects
None yet
Milestone
OTOBO 10.1.1
Development

No branches or pull requests
2 participants
@bschmalhofer @svenoe