Visible and Enabled property are not secure

Visible and Enabled property are not secure


Just got a painful realization.

Background: I previously work as Oracle Forms Developer, not a web developer.

Visible and Enabled=false property can be altered at runtime using certain browser feature.

To hide a secured/privileged container or widget (Approve button for example), use If Widget, not the visible property.

As for Enabled property, does Outsystems have some check in server side, so input widget value does not update to Form's Record variable if the enabled property was false?

Nope, I have also noticed this, however this is a problem in all of web development.
You will always have to build server side checks in order to validate if a change has been made correctly.

So probably you have to keep track of an extra boolean to which you assign the enabled state to.
On each change you check if this boolean is false or true and act accordingly.

Hi Harlin,

Not that I know of. The described behaviour is standard for web development. 

What you need to do, when submiting data (server side), is to validate if the record(s) in question allows changes and if not you stop and send an error message.

Best regards,

João Nobre

For example, I have disabled my discount input widget (only Senior Sales Manager may change the discount)

A knowledgeable user may change enabled=false property to true, change the discount, then save the record.

is it an acceptable idea for Outsystems to double check enabled property on POST, then only update Form's Record variable if it have enable property originally true?

You can propose that as an idea to OutSystems.

At this point you must have both client and server side validation, so in your example you must also check on submit if the user has or not the Role that allows the change.

Hi Harlin,

The recommendation is to never assume UI elements to be safe, and as such check them explicitly on the Screen Action than will handle the form submit afterwards. You can do this check based on the same logic you used to determine they should be read only in the first place

Hello Harlin,

The platform simply can't assume that because an element is marked as "disabled" in a page at the time the page is build in server, that it should stay this state for the duration of the page life. You can have client side scripts to control this behavior, and platform will never know about it.

If you want something to be "Permanently" out of the hands of the user, don't put it in the page.

Can be annoying, but that's the way to go. :)

Eduardo Jauch

it's known and people should take care of it themselves..

that said, also the url-tampering comes to mind which imho should also be the responsibility of the developer and not the platform.