Hello SEBLOD experts,
I have a security related question
I have been using hidden fields with assigned live values,
to have them auto-filled.
We know that these fields are only hidden from being displayed openly in the browser, but are still accessible via source inspector.
Anyone with a bit of knowledge in this area can manipulate e.g. the publish state of a comment, that I have preset to be "unpublished" to "published" - totally circumventing my approval workflow.
Is there a way to have field values set by live value, but ONLY on the server side?
Hello Viktor!
I might be wrong, but if you set a higher access level on control fields (such as publish state etc), even if hidden, those fields should not be accessible to users with lesser access right to temper with (because not present at all). Just set, for example, the default value to e.g. unpublished. Although, it's a "catch 22" scenario, if you need to set certain values based on user input. In that case maybe you could use a Before Store of Code Pack plugin, or PrepareStore of field 42.
Hi,
you need to set hidden variation on the field plus live value, then user won't be able to alter value that is saved.
Thank you for this idea, Webcastor. I will try this.
Klas ... even if the user is a hacker, trying to manipulate the form, the DOM and the javascripts used?
A hidden field is still accessible.
I would expect SEBLOD to do some XHR communication with the server,
to determine the values, to calculate securely and to save into the database live-values only on the server side,
neglecting / not using the value of the hidden field.
Is this the case, Klas?
That would be really nice :)
When hidden variation is used, value submited trough form is not used, what gets saved is the live value.
Awesome !!!
Thank you for the confirmation.
I'll try to make use of this as much as possible, let's see how far I can go with it.
