Uploaded image for project: 'RichFaces'
  1. RichFaces
  2. RF-13358

rich:panelMenuGroup allowing actions executions even if originally disabled

    Details

    • Sprint:
      4.3.5 Sprint 1
    • Steps to Reproduce:
      Hide

      1. Deploy output-demo (RF dev-examples)
      2. run http://localhost:8080/output-demo/examples/panelMenu.jsf
      3. Try to expand Group 4.1 - not possible, which is intended behaviour
      4. modify following JS using disabled:false and execute with FireBug

      new RichFaces.ui.PanelMenuGroup("f:group43",{"collapseEvent":"click","unselectable":false,"selectable":false,"name":"group43","ajax":

      {"incId":"1"}

      ,"stylePrefix":"rf\u002Dpm\u002Dgr","expanded":false,"expandEvent":"click","disabled":true,"mode":"client"} )

      5. Try to expand Group 4.1 again - it is possible now and even to click on the inner group elements and execute its actions

      Show
      1. Deploy output-demo (RF dev-examples) 2. run http://localhost:8080/output-demo/examples/panelMenu.jsf 3. Try to expand Group 4.1 - not possible, which is intended behaviour 4. modify following JS using disabled:false and execute with FireBug new RichFaces.ui.PanelMenuGroup("f:group43",{"collapseEvent":"click","unselectable":false,"selectable":false,"name":"group43","ajax": {"incId":"1"} ,"stylePrefix":"rf\u002Dpm\u002Dgr","expanded":false,"expandEvent":"click","disabled":true,"mode":"client"} ) 5. Try to expand Group 4.1 again - it is possible now and even to click on the inner group elements and execute its actions

      Description

      related to https://issues.jboss.org/browse/RF-12813

      This can be possibly a security hole, as the second component piece is discovered to allow tampering actions through JS.

      I suggest to try out on other components as well !!!

      with following example

      {
                      <rich:panelMenuGroup id="group4" label="Group 4" expanded="false">
                          <rich:panelMenuItem id="item41" label="Item 4.1" />
                          <rich:panelMenuItem id="item42" label="Item 4.2" disabled="true" />
                          <rich:panelMenuGroup id="group43" label="Group 4.1" disabled="true">
                              <rich:panelMenuItem id="item431" label="Item 4.1.1" />
                          </rich:panelMenuGroup>
                      </rich:panelMenuGroup>
       
      }
      

      the group43 element is intended to be disabled and thus not allowing any actions execution on it

      Once tampered with

      {
      new RichFaces.ui.PanelMenuGroup("f:group43",{"collapseEvent":"click","unselectable":false,"selectable":false,"name":"group43","ajax":{"incId":"1"} ,"stylePrefix":"rf\u002Dpm\u002Dgr","expanded":false,"expandEvent":"click","disabled":false,"mode":"client"} )
      }
      

      It is possible to expand the group and execute further actions on its children elements

      NOTE: to verify this in RF 4.5 the JS function is: new RichFaces.rf4.ui.....

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                bleathem Brian Leathem
                Reporter:
                pslegr Pavel Slegr
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1 hour
                  1h
                  Remaining:
                  Remaining Estimate - 1 hour
                  1h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified