rich:panelMenuGroup allowing actions executions even if originally disabled --------------------------------------------------------------------------- Key: RF-13358 URL: https://issues.jboss.org/browse/RF-13358 Project: RichFaces Issue Type: Bug Security Level: Public(Everyone can see) Components: component-menu Affects Versions: 4.3.4 Environment: Linux, AS 7.1.1 Brontes, FF 25 with FireBug addOn Reporter: Pavel Slegr Assignee: Brian Leathem Priority: Critical Labels: needs-qe Fix For: 4.3.5, 4.5.0.Alpha2, 5.0.0.Alpha3 Original Estimate: 1 hour Remaining Estimate: 1 hour related to https://issues.jboss.org/browse/RF-12813 This can be possibly a security hole, as the second component piece is discovered to allow tampering actions through JS. I suggest to try out on other components as well !!! with following example {code} { <rich:panelMenuGroup id="group4" label="Group 4" expanded="false"> <rich:panelMenuItem id="item41" label="Item 4.1" /> <rich:panelMenuItem id="item42" label="Item 4.2" disabled="true" /> <rich:panelMenuGroup id="group43" label="Group 4.1" disabled="true"> <rich:panelMenuItem id="item431" label="Item 4.1.1" /> </rich:panelMenuGroup> </rich:panelMenuGroup> } {code} the group43 element is intended to be disabled and thus not allowing any actions execution on it Once tampered with {code} { new RichFaces.ui.PanelMenuGroup("f:group43",{"collapseEvent":"click","unselectable":false,"selectable":false,"name":"group43","ajax":{"incId":"1"} ,"stylePrefix":"rf\u002Dpm\u002Dgr","expanded":false,"expandEvent":"click","disabled":false,"mode":"client"} ) } {code} It is possible to expand the group and execute further actions on its children elements NOTE: to verify this in RF 4.5 the JS function is: _new RichFaces.rf4.ui....._