[ic] Security problem?
Jurgen Botz
interchange-users@interchange.redhat.com
Tue Jan 29 11:14:00 2002
Mike Heins wrote:
> Quoting Jurgen Botz (jurgen@botz.org):
> > Hmm, it just occured to me that users can apparently update arbitrary
> > fields in the userdb by saving any form page and adding input fields
> > corresponding to column names in the userdb. This will set IC values
> > and is the userdb is later saved will update any such fields. I just
> > tried it and it seems to work.
>[...]
> Yes, that is why:
>
> UserDB default scratch "dealer credit_limit"
>
> is in the foundation setup. It routes those to $Scratch instead
> of $Values, which cannot be manipulated directly.
Aha! Thanks! Things are starting to come together. In just a few days
the mailing list has already filled in many of the gaps in the docs for
me, both by passive reading and active asking (and this is the second
excellent answer from you, so thanks again!)
:j
--
Jürgen Botz | While differing widely in the various
jurgen@botz.org | little bits we know, in our infinite
| ignorance we are all equal. -Karl Popper