Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Re: cgi::formbuilder submit button non-editable form

by quester (Vicar)
on Mar 04, 2008 at 07:17 UTC ( [id://671811]=note: print w/replies, xml ) Need Help??


in reply to cgi::formbuilder submit button non-editable form

Umm... pardon me, but non-editable fields? In a browser? Just say NO!

In order to make the fields non-editable you have to assume things about the functionality of the user's browser. If the user gets to supply his own browser all bets are off. Imagine how you would support non-editable fields if the user connected to your server with "telnet www.victim.com 80".

The usual solution is to establish a session state, so you can validate that hidden or non-edit fields really have the right values in them, all the fields are there, and the user didn't add anything (that matters.)

In the case of a simple deletion, you might want to repeat whatever logic you used to determine that the user is authorized to delete this object, instead of checking the session state. That could be less code, or more, depending on how your authorization works.

  • Comment on Re: cgi::formbuilder submit button non-editable form

Replies are listed 'Best First'.
Re^2: cgi::formbuilder submit button non-editable form
by Anonymous Monk on Jul 03, 2012 at 16:23 UTC
    Basically, you add an empty 'readonly' attribute to the markup.

    $form->field( name => 'field_name', readonly => 1);

    For checkboxes, you can use disabled

    $form->field( name => 'choices', disabled => 'disabled');

    In response to the pedants, this is not a security issue. It is a usability question. The form is showing a different view of the same data to perform different operations on it.

    For example "make a duplicate record", or "delete record". It doesn't make sense for the user to modify those fields if the action ignores those modifications.

    The permissions handling is still managed by the server. If a user added his own query parameter in the request "&destroy_everything=1", doesn't mean the server will obey it.

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://671811]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others examining the Monastery: (2)
As of 2024-04-24 23:52 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found