tags:

views:

44

answers:

5
Q: 

How to prevent changing state of controls on the client most easily?

What I'm trying to achieve is basically to prevent client-side change of the state of my server controls.

For example, let's say that I have a business web applications, that shows some data in read-only fashion to the regular users, but allow the admin to edit the data. In such case I use regular ASP.NET server controls, but disable them for the regular user (enabled=false). The problem that I have is that any advanced user could change the disabled control on the client using short javascript code and check the supposedly disabled and unchecked checkbox.

From my standpoint this is serious security problem and I'm more than surprised that I cannot find no one asking questions about that.

Perhaps I'm missing something, but please let me know what is the easiest way to prevent this client-side change. I thought that when the control is disabled before rendering the page, the following postback would not touch this control at all, no matter how you change it on the client. Did I get terribly wrong?

+2  A: 

I would do a double check on the server-side.

There is no guarantee that a request will always come from your (unmodified) page. Anyone can craft an HTTP request that mimics whatever your postback is doing.

Adrian Godong  2010-07-09 13:15:05
Yes, I can check the logic on the server, but because I work on a legacy system, this would be very hard work. I was wondering if there is some simple elegant solution involving only the controls itself - not the logic on the page.
Peter Motichka  2010-07-09 14:20:49
+1. Everything the user sends to the server must be double check.POST data, GET data, files, AJAX requests, control state, session cookies. *Everything*. So I completely agree with Adrian Godong.
MainMa  2010-07-09 21:50:29
It would be a hard work worth its weight in gold. Depending only on client-side validation is not what you want to say when some security issue came up (which is actually the original problem).
Adrian Godong  2010-07-11 07:54:33
A: 

If you use a Placeholder control and hide it, nothing will be rendered to the screen.

Mitch R.  2010-07-09 13:22:22
This is definitely not the goal. The goal is to SHOW the control, but in disabled state, so the user can see how the setting is configured, but to not be able to change it.
Peter Motichka  2010-07-09 14:19:18
A: 

Hi, my 2 cents on your problem. I would rather use a formview /detailsview if both the view and edit page is on the same.

You can then use template fields with 'labels' only to show the data & place the editing controls(textbox, radio buttons) in edit field templates. You can store a variable in session regarding the user level, then on each page load you can check the level & depending on that, open the formview/detailsView in either normal or edit mode

http://quickstarts.asp.net/QuickStartv20/aspnet/doc/ctrlref/data/detailsview.aspx

http://quickstarts.asp.net/QuickStartv20/aspnet/samples/data/GridViewMasterDetailsInsert_vb.aspx

Popo  2010-07-09 14:36:10
Thank you, but this is not my goal. As I said earlier..." I work on a legacy system, this would be very hard work. I was wondering if there is some simple elegant solution involving only the controls itself - not the logic on the page."
Peter Motichka  2010-07-09 15:33:30
Hi, there is JQuery Block UI maybe that would suit your need.
Popo  2010-07-10 13:55:22
A: 

So no one has better idea?

Peter Motichka  2010-07-09 21:46:50
A: 

The Enabled property of the checkbox will remain false even after a tampered postback. Perhaps you could use this in some way?

Hugh Jeffner  2010-07-10 02:13:09
this is simply not true.
Peter Motichka  2010-07-12 15:24:52
I was referring to the server-side property of Enabled. Probably won't help you any though.
Hugh Jeffner  2010-07-12 17:17:14

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps