Possible to update entity exposed as read only with sql

Hi all,

I was playing around with the sql widget today, and found that when you reference entities in an sql widget in a consumer, and the entities are exposed as read only, you get an error message and are not able to publish.  This is as expected, as it shouldn't be possible to update read only entities from outside the producer.

But, when you use expandInline and just pass a full sql statement into an sql widget, you can bypass this check, and in effect make updates from within the consumer to entities that are exposed as read only by the producer. 

For completeness, I did the same test with a non public entity, and that, at least, was not possible.

I know all this is not normal or best practice, but I would have expected the platform to execute some sort of runtime check to block this.  When you have a carefully architected application landscape, the last thing you need is cowboys / creative thinkers bending what they see as limitations and this way creating unwanted cross model shortcuts and dependencies under the radar. 

Anybody know if this is an oversight, or maybe a known and accepted vulnerability ?  Are there ways to prevent this or at least detect this is going on ?


Hi Dorine,

using ExpandInline is like waving a flag "I don't care about best practices, let me do what I want!". 

Even if OutSystems tries to block those commands based on text patterns there are always ninja workarounds like concatening more strings.


But at some point the platform replaces the {entity} with the physical table name, so it could quite easily do a check at that point for read only entity vs owner espace of the sql widget.


I have reported this to OutSystems, as a read only public entity should under any circumstances be read only for consumers.


Hi Dorine,

That's the some thing when we can't use commit in an advance query but we change it to 'com' + 'mit;' works.

Following the platform best practices that should not be done but it would be good if they could limit that in the platform, nice catch.

Best regards,

Ricardo Pisco.


Hi Dorine,

It turns out that it is officially possible to update data of readonly/public entities from a consumer module:


I think it odd, and it shouldn't be or else remove the Expose Read Only attribute completely, but he I am not OutSystems.




Thanks for the link.

Agreed with @Daniël Kuhlmann , if READ ONLY set to YES then it's shouldn't be updated even using Custom SQL, but that is not happening now our bad.

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.