Prevent modifying data via controller when LinkField has been set to readonly or disabled #182
Labels
Comments
Closed
|
After some discussion, we have concluded that the endpoint where the LinkData is posted should be considered as an abstractAPI disassociated from any specific LinkField instance. Therefore it should not do any other check aside from whether the user has the appropriatet CanView/CanEdit/CanDelete permission. Therefore we will not be proceeding with this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If either
->setReadonly(true)or->setDisabled(true)has been called on LinkField, then attempting to update the data via ajax requests to LinkFieldController should raise an HTTP error, similar to the 403's that are raised when a user lacks permission to update a DataObjectNote that while this stackoverlflow question states that readonly data is still sent, we should still block it on the controller because the POST submission is not part of a larger form. This is because linkfield's make their own ajax requests independent of the page edit form, meaning that readonly and disabled are effectively equivalent i.e. you must not be allowed to update values.
Related issues
The text was updated successfully, but these errors were encountered: