As designed Template Modification entity "canEdit" not checked during edit

[DragonByte Tech]

Affected version

2.0.0 RC3

In actionDelete there's a check:

        if (!$modification->canEdit())
        {
            return $this->error(\XF::phrase('item_cannot_be_deleted_associated_with_addon_explain'));
        }

However, I'm not seeing this check during actionSave or modificationSaveProcess as I would expect. I haven't tested this theory, but in theory that would allow someone to edit a modification's template modification even if debug mode is not enabled.

If this is intended, then pretend like this thread was titled "canEdit should be named canDelete" or something instead


Fillip

 

[Chris D]

This is mostly intentional and not necessarily exclusive to template mods. It is theoretically possible to edit some stuff that we otherwise try to block you from editing. There might be hidden input fields you can manipulate. There might be just disabled/read only fields you could just modify directly in the developer tools etc.

We're just not as strict when it comes to Admin stuff as we are on the front end. It was mostly the same in XF1.

canEdit is the appropriate method name though. It is used in the template to denote which fields should be marked read only or not. We allow modifying the enabled state from the edit page.