[JBoss JIRA] (RF-13358) rich:panelMenuGroup allowing actions executions even if originally disabled

Friday, 10 January 2014

    [
https://issues.jboss.org/browse/RF-13358?page=com.atlassian.jira.plugin.s...
] 

Brian Leathem commented on RF-13358:
------------------------------------

{quote}
Explanation:
For example test test_disabled_menu_group, here, is trying to:
click on the group to collapse it
{quote}

The test is in fact clicking on a menu item of an already expanded menu group and trying
to execute the menuItem

{quote}
verifying whether an ajax request changed the state of the bean bound to the group action
param.
However, there is no Ajax request made, and at the same time the group is collapsed even
when it is disabled (tampered with the script executed after the page load). Therefore,
test wrongly expect that the group is still disabled.
{quote}

doesn't _guardAjax_ ensure that an ajax request takes place?

{quote}
It is weird, because in one hand the group is not making Ajax request when clicked (I
guess because of some client check), and on the other hand it is expanded/collapsed.
{quote}

It's the menuItem that is supposed to make the ajax request when clicked, not the
menuItem.

----

I believe see now what's going on.  The fix I put in was to prevent execution of
menuItems, and what you (QA) are checking is if the group can be expanded.  I'll
investigate now if that makes sense.

...
 rich:panelMenuGroup allowing actions executions even if originally
disabled
 ---------------------------------------------------------------------------

                 Key: RF-13358
                 URL: https://issues.jboss.org/browse/RF-13358
             Project: RichFaces
          Issue Type: Bug
      Security Level: Public(Everyone can see) 
          Components: component-menu
    Affects Versions: 4.3.4
         Environment: Linux, AS 7.1.1 Brontes, FF 25 with FireBug addOn
            Reporter: Pavel Slegr
            Assignee: Brian Leathem
            Priority: Critical
              Labels: needs-qe
             Fix For: 4.3.5, 4.5.0.Alpha2, 5.0.0.Alpha3

   Original Estimate: 1 hour
  Remaining Estimate: 1 hour

 related to https://issues.jboss.org/browse/RF-12813
 This can be possibly a security hole, as the second component piece is discovered to
allow tampering actions through JS.
 I suggest to try out on other components as well !!!
 with following example
 {code}
 {
                 <rich:panelMenuGroup id="group4" label="Group 4"
expanded="false">
                     <rich:panelMenuItem id="item41" label="Item
4.1" />
                     <rich:panelMenuItem id="item42" label="Item
4.2" disabled="true" />
                     <rich:panelMenuGroup id="group43" label="Group
4.1" disabled="true">
                         <rich:panelMenuItem id="item431" label="Item
4.1.1" />
                     </rich:panelMenuGroup>
                 </rich:panelMenuGroup>
 }
 {code}
 the group43 element is intended to be disabled and thus not allowing any actions
execution on it
 Once tampered with 
 {code}
 {
 new
RichFaces.ui.PanelMenuGroup("f:group43",{"collapseEvent":"click","unselectable":false,"selectable":false,"name":"group43","ajax":{"incId":"1"}
,"stylePrefix":"rf\u002Dpm\u002Dgr","expanded":false,"expandEvent":"click","disabled":false,"mode":"client"}
)
 }
 {code}
 It is possible to expand the group and execute further actions on its children elements
 NOTE: to verify this in RF 4.5 the JS function is: _new RichFaces.rf4.ui....._ 
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007