Bug #12300
Updated by Siti Norahayu Mohd Desa about 3 years ago
*Findings: in several menu, user can change disabled inputs*
In "edit" or "update" screens, there are several fields that is disabled / not expected to be changed by the user. But by using inspector, we could removing disabled="disabled", edit the field and the server saves the new field value.
Impacted *Temuan : Di beberapa menu that we found during the test:
# Admin user maintenance
# Participant maintenance
# Participant group maintenance {terlampir}, pada menu edit, input yang disable masih bisa diinject dan tersimpan.*
Note: because of conflicting change with Functional SIT testing, we couldn't verify all function of this bug. We hope the developer can analyze the application fully, not only the three menu that we found out above.
+Steps:+
# Open the enquiry screen of the function, search and click on edit / pencil button. 1. buka inspector
# By using inspector, remove disabled="disabled", 2. hapus disabled="disabled"
3. edit the isi field value
# click 4. Next button
# If in the confirmation screen the field is reset, repeat step 2 in the confirmation screen
# click 5. Confirm button
# Verify bu using the view / eye button from enquiry screen
*Recommendation: All Rekomendasi: Seluruh field yang disabled fields should be rejected by the seharusnya tidak diterima edit oleh server (need update to server-processing logic)* {perlu perbaikan logic aplikasi
In "edit" or "update" screens, there are several fields that is disabled / not expected to be changed by the user. But by using inspector, we could removing disabled="disabled", edit the field and the server saves the new field value.
Impacted *Temuan : Di beberapa menu that we found during the test:
# Admin user maintenance
# Participant maintenance
# Participant group maintenance {terlampir}, pada menu edit, input yang disable masih bisa diinject dan tersimpan.*
Note: because of conflicting change with Functional SIT testing, we couldn't verify all function of this bug. We hope the developer can analyze the application fully, not only the three menu that we found out above.
+Steps:+
# Open the enquiry screen of the function, search and click on edit / pencil button. 1. buka inspector
# By using inspector, remove disabled="disabled", 2. hapus disabled="disabled"
3. edit the isi field value
# click 4. Next button
# If in the confirmation screen the field is reset, repeat step 2 in the confirmation screen
# click 5. Confirm button
# Verify bu using the view / eye button from enquiry screen
*Recommendation: All Rekomendasi: Seluruh field yang disabled fields should be rejected by the seharusnya tidak diterima edit oleh server (need update to server-processing logic)* {perlu perbaikan logic aplikasi