[
https://issues.jboss.org/browse/RF-13358?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12935119#comment-12935119
]
Brian Leathem commented on RF-13358:
------------------------------------
{quote}
Explanation:
For example test test_disabled_menu_group, here, is trying to:
click on the group to collapse it
{quote}
The test is in fact clicking on a menu item of an already expanded menu group
and trying to execute the menuItem
{quote}
verifying whether an ajax request changed the state of the bean bound to the
group action param.
However, there is no Ajax request made, and at the same time the group is
collapsed even when it is disabled (tampered with the script executed after the
page load). Therefore, test wrongly expect that the group is still disabled.
{quote}
doesn't _guardAjax_ ensure that an ajax request takes place?
{quote}
It is weird, because in one hand the group is not making Ajax request when
clicked (I guess because of some client check), and on the other hand it is
expanded/collapsed.
{quote}
It's the menuItem that is supposed to make the ajax request when clicked, not
the menuItem.
----
I believe see now what's going on. The fix I put in was to prevent execution
of menuItems, and what you (QA) are checking is if the group can be expanded.
I'll investigate now if that makes sense.
> rich:panelMenuGroup allowing actions executions even if originally disabled
> ---------------------------------------------------------------------------
>
> Key: RF-13358
> URL: https://issues.jboss.org/browse/RF-13358
> Project: RichFaces
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: component-menu
> Affects Versions: 4.3.4
> Environment: Linux, AS 7.1.1 Brontes, FF 25 with FireBug addOn
> Reporter: Pavel Slegr
> Assignee: Brian Leathem
> Priority: Critical
> Labels: needs-qe
> Fix For: 4.3.5, 4.5.0.Alpha2, 5.0.0.Alpha3
>
> Original Estimate: 1 hour
> Remaining Estimate: 1 hour
>
> related to https://issues.jboss.org/browse/RF-12813
> This can be possibly a security hole, as the second component piece is
> discovered to allow tampering actions through JS.
> I suggest to try out on other components as well !!!
> with following example
> {code}
> {
> <rich:panelMenuGroup id="group4" label="Group 4"
> expanded="false">
> <rich:panelMenuItem id="item41" label="Item 4.1" />
> <rich:panelMenuItem id="item42" label="Item 4.2"
> disabled="true" />
> <rich:panelMenuGroup id="group43" label="Group 4.1"
> disabled="true">
> <rich:panelMenuItem id="item431" label="Item 4.1.1" />
> </rich:panelMenuGroup>
> </rich:panelMenuGroup>
> }
> {code}
> the group43 element is intended to be disabled and thus not allowing any
> actions execution on it
> Once tampered with
> {code}
> {
> new
> RichFaces.ui.PanelMenuGroup("f:group43",{"collapseEvent":"click","unselectable":false,"selectable":false,"name":"group43","ajax":{"incId":"1"}
>
> ,"stylePrefix":"rf\u002Dpm\u002Dgr","expanded":false,"expandEvent":"click","disabled":false,"mode":"client"}
> )
> }
> {code}
> It is possible to expand the group and execute further actions on its
> children elements
> NOTE: to verify this in RF 4.5 the JS function is: _new RichFaces.rf4.ui....._
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
richfaces-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/richfaces-issues
