+7Hi,
One of our customers discovered a potential data security issue : if a back-office user “inspect” the web page, then a disable field can be transformed into an editable fied and so be updated by the user.
Example in the service order module, the disabled field “problem_desc” can be updated using the “inspect” action. See attached document for details.
Is there a way to avoid this ? Thanks in advance for your feedback
Best answer by Andrew D'Antonio
Hi Philippe,
As far as I’m aware, there is no server-side functionality to prevent users from modifying individual columns in the module’s state. If there is a need for this, it would require a custom solution. However, you can audit order-level changes in the order’s transaction log.
Thanks,
Andrew
Hi Philippe,
As far as I’m aware, there is no server-side functionality to prevent users from modifying individual columns in the module’s state. If there is a need for this, it would require a custom solution. However, you can audit order-level changes in the order’s transaction log.
Thanks,
Andrew
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
