Document Management SystemProject Type: software

Document Management System

Uploaded image for project: 'Document Management System'
  1. Document Management System
  2. DMS-1890

Changing values of form from Console[Developer Tools] should not be allowed

    Details

    • Company:
      All Clients/Multiple Clients

      Description

      Disallow User to manipulate data from console of form on Review and Sign page and on Admin Preview page.
      Manipulated data should not be saved in Database.

      CC: Rohan J Khandave,Samir,Priya Dhamande

        Attachments

          Activity

          Ascending order - Click to sort in descending order
          Hide
          Permalink
          ramya.tantry Ramya Tantry (Inactive) added a comment -

          Areas impacted:

          1. Admin preview -> changes done to view only and/or no rights field from developer tools -> Send
          2. Candidate Review and Sign -> changes done to view only and/or no rights field from developer tools -> Submit/Decline
          3. API : Custom create -> open link in browser -> changes done to view only and/or no rights field from developer tools -> Save

          Implementation:

          1. If previous JSON data is not present, form data is compared with database values. If manipulated data is found, it is replaced with database value.
          2. If previous JSON data is present, form data is compared with previous JSON values.  If manipulated data is found, it is replaced with previous JSON value.

           

          We are reusing the functionality done for fetching history data but will need additional changes. So extending the estimates 16h to 24h

           

          Show
          ramya.tantry Ramya Tantry (Inactive) added a comment - Areas impacted: Admin preview -> changes done to view only and/or no rights field from developer tools -> Send Candidate Review and Sign -> changes done to view only and/or no rights field from developer tools -> Submit/Decline API : Custom create -> open link in browser -> changes done to view only and/or no rights field from developer tools -> Save Implementation: If previous JSON data is not present, form data is compared with database values. If manipulated data is found, it is replaced with database value. If previous JSON data is present, form data is compared with previous JSON values.  If manipulated data is found, it is replaced with previous JSON value.   We are reusing the functionality done for fetching history data but will need additional changes. So extending the estimates 16h to 24h  
          Hide
          Permalink
          ramya.tantry Ramya Tantry (Inactive) added a comment -

          Putting on hold as I am working on DMS-1913.

          Show
          ramya.tantry Ramya Tantry (Inactive) added a comment - Putting on hold as I am working on DMS-1913 .
          Hide
          Permalink
          ramya.tantry Ramya Tantry (Inactive) added a comment -

          Concern: Manipulated data of no rights and view only permissions was getting saved in JSON of the document.

          Cause: The JSON data received from UI was getting saved into DB directly without it getting verified with the DB values. So in case if the data has been manipulated from DEV tools and saved, this data will be saved into DB as document JSON and the same will be fetched to candidate.This is data security breach.

          Correction: While saving the JSON data, additional code changes have been done to verify - 

          1. If previous JSON data is not present, form data is compared with database values. If manipulated data is found, it is replaced with database value.
          2. If previous JSON data is present, form data is compared with previous JSON values.  If manipulated data is found, it is replaced with previous JSON value.

          Files Affected:

          1. DMS\DMS.App\src\DMS_AppLogic\BuisnessLogic\DocumentData.cs
          2. DMS\DMS.App\src\DMS_AppLogic\BuisnessLogic\PersonData.cs
          3. DMS\DMS.App\src\DMS_AppLogic\Common\HistoryData.cs
          4. DMS\DMS.App\src\DMS_AppLogic\Common\IHistoryData.cs
          5. DMS\DMS.App\src\DMS_AppLogic\Common\Routines\CommonRoutines.cs
          6. DMS\DMS.App\src\DMS_AppLogic\Common\Routines\ICommonRoutines.cs
          7. DMS\DMS.App\src\DMS_AppLogic\IntegrationLogic\CandidateProfile.cs
          8. DMS\DMS.App\src\DMS_AppLogic\Repository\IDocumentRepository.cs
          9. DMS\DMS.App\src\DMS_WebApi\Startup.cs
          10. DMS\DMS.App\src\Entities\Document\FieldsDto.cs
          11. DMS\DMS.Web\src\DMS_WebApp\ClientApp\src\app\candidate\document-review\document-review.component.ts
          Show
          ramya.tantry Ramya Tantry (Inactive) added a comment - Concern : Manipulated data of no rights and view only permissions was getting saved in JSON of the document. Cause : The JSON data received from UI was getting saved into DB directly without it getting verified with the DB values. So in case if the data has been manipulated from DEV tools and saved, this data will be saved into DB as document JSON and the same will be fetched to candidate.This is data security breach. Correction : While saving the JSON data, additional code changes have been done to verify -  If previous JSON data is not present, form data is compared with database values. If manipulated data is found, it is replaced with database value. If previous JSON data is present, form data is compared with previous JSON values.  If manipulated data is found, it is replaced with previous JSON value. Files Affected: DMS\DMS.App\src\DMS_AppLogic\BuisnessLogic\DocumentData.cs DMS\DMS.App\src\DMS_AppLogic\BuisnessLogic\PersonData.cs DMS\DMS.App\src\DMS_AppLogic\Common\HistoryData.cs DMS\DMS.App\src\DMS_AppLogic\Common\IHistoryData.cs DMS\DMS.App\src\DMS_AppLogic\Common\Routines\CommonRoutines.cs DMS\DMS.App\src\DMS_AppLogic\Common\Routines\ICommonRoutines.cs DMS\DMS.App\src\DMS_AppLogic\IntegrationLogic\CandidateProfile.cs DMS\DMS.App\src\DMS_AppLogic\Repository\IDocumentRepository.cs DMS\DMS.App\src\DMS_WebApi\Startup.cs DMS\DMS.App\src\Entities\Document\FieldsDto.cs DMS\DMS.Web\src\DMS_WebApp\ClientApp\src\app\candidate\document-review\document-review.component.ts
          Hide
          Permalink
          priya.dhamande Priya Dhamande (Inactive) added a comment -

          No testing input required. So, marking jira done.

          Show
          priya.dhamande Priya Dhamande (Inactive) added a comment - No testing input required. So, marking jira done.

            People

            Assignee:
            rohan.khandave Rohan J Khandave (Inactive)
            Reporter:
            ramya.tantry Ramya Tantry (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 24h Original Estimate - 24h
                24h
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 26h
                26h