Prevent choice editing via source code

Max Nowak · ‎08-30-2024

Hi,

I'm currently in a relatively sensitive project, where one of the QA testers of the customers noticed that you could add, remove or change choices in a Choice field by using the developer tools of their browser to change the respective HTML lines:

<select aria-required="false" aria-labelledby="label.incident.category" ng-non-bindable="true" name="incident.category" id="incident.category" onchange="onChange('incident.category', arguments.length === 2 ? arguments[1] : false);telemetryForRecordUpdate('category');" style="; " class="form-control" choice="1">
    <option value="software">Software</option>
    <option value="hardware">Hardware</option>
    <option value="test">test</option>
</select>

In this example, I added the last option (test) via developer tools, and I'm able to save the record. The coice will be highlighted in blue, because it's not present in the sys_choice table, but it is accepted regardless.

I know that I could possibly prevent this by having a before update BR in place that checks the currently selected choice against all available choices for this field, but that sounds very tedious and error-prone in the long run, especially if I wanted to ensure it for 30 choice fields across 5 tables, or something like that.

Is there any other way to do this?

Paul Curwen · ‎08-30-2024

Interesting question, I don't believe there is any way to Disable Dev Tools per say (anyone please correct me if wrong) and probably would be frowned upon. My solution would be validate on update and reject if out of scope, but yes a lot of work potentially.

***If Correct/Helpful please take time mark as Correct/Helpful. It is much appreciated.***

Regards

Paul

Bert_c1 · ‎08-30-2024

Does the new value show up in the sys_choice table for incident.catagory? If not, you can use a client script and script include to enforce valid choices. I've tested and onChange client script for table: incident and element: category, script follows:

function onChange(control, oldValue, newValue, isLoading, isTemplate) {
   if (isLoading || newValue === '') {
      return;
   }

   // check value
	var catValue = g_form.getValue('category');
	alert ("Checking catagory value: " + catValue);
	var ga = new GlideAjax('CheckCategoryValue');
	ga.addParam('sysparm_name', 'checkCategory');
    ga.addParam('sysparm_cat_value', catValue);
    ga.getXMLAnswer(getResponse);
	
	// callback function for returning the result from the script include
	function getResponse(response) {
        var ans = response;
		alert('response = ' + ans);
		if (ans == 'false')
			g_form.setValue('category', ''); 
    }
}

which will clear the value if invalid. You can comment out/remove the 'alert();' lines after testing. The script include has Client callable set to true. the script follows:

var CheckCategoryValue = Class.create();
CheckCategoryValue.prototype = Object.extendsObject(AbstractAjaxProcessor, {

	checkCategory: function() {
		var result=false;
        var catValue = this.getParameter("sysparm_cat_value");
		var screc = new GlideRecord('sys_choice');
		screc.addEncodedQuery('GOTOname=incident^element=category');
		screc.addQuery('value', catValue);
		screc.query();
		gs.info("CheckCategoryValue: Found " + screc.getRowCount() + " sys_choice records.");
		if (screc.next()) {
			result = true;
		}
		gs.info("CheckCategoryValue: Returning: " + result);
		return result;
    },

    type: 'CheckCategoryValue'
});

You can comment out/remove the gs.info() lines after testing.

Bert_c1 · ‎08-30-2024

After some thought, is doing that part of the QA process? seems there is other manipulation of forms possible using the browser's tools. If you see this occurring, you can use the audit history to find out who is doing it then have the boss slap that user's hand. what I proposed is a little "heavy" for your use case.