[DMS-1890] Changing values of form from Console[Developer Tools] should not be allowed - Workterra Jira

Details

Type: Bug
Status: Done
Priority: Medium
Resolution: Done
Affects Version/s: None
Fix Version/s: Between Fall and Winter 2019
Labels:
None

Company:
All Clients/Multiple Clients

Description

Disallow User to manipulate data from console of form on Review and Sign page and on Admin Preview page.
Manipulated data should not be saved in Database.

CC: Rohan J Khandave,Samir,Priya Dhamande

Attachments

Activity

Ascending order - Click to sort in descending order

Ramya Tantry (Inactive) created issue - 11/Sep/19 12:18 AM

Ramya Tantry (Inactive) made changes - 11/Sep/19 12:28 AM

Field	Original Value	New Value
Summary	Changing values of PDF from Console should not be allowed	Changing values of form from Console[Developer Tools] should not be allowed

Ramya Tantry (Inactive) made changes - 15/Sep/19 09:26 PM

Status

To Do [ 10000 ]

In Progress [ 3 ]

Ramya Tantry (Inactive) made changes - 15/Sep/19 10:45 PM

Status

In Progress [ 3 ]

To Do [ 10000 ]

Ramya Tantry (Inactive) made changes - 16/Sep/19 02:03 AM

Status

To Do [ 10000 ]

In Progress [ 3 ]

Ramya Tantry (Inactive) made changes - 16/Sep/19 02:03 AM

Description

Disallow User to manipulate data from console of form on Review and Sign page and on Admin Preview page.
Manipulated should not be saved in Database.

CC: [~rohan.khandave],[~samir],[~priya.dhamande]

Disallow User to manipulate data from console of form on Review and Sign page and on Admin Preview page.
Manipulated data should not be saved in Database.

CC: [~rohan.khandave],[~samir],[~priya.dhamande]

Ramya Tantry (Inactive) made changes - 16/Sep/19 02:35 AM

Remaining Estimate		16h [ 57600 ]
Original Estimate		16h [ 57600 ]

Ramya Tantry (Inactive) made changes - 16/Sep/19 08:30 PM

Sprint

DMS - Gap Fall & Win Sprint 4 [ 179 ]

Permalink

Ramya Tantry (Inactive) logged work - 17/Sep/19 05:36 AM

Time Spent:

1h

Issue analysis

Ramya Tantry (Inactive) made changes - 17/Sep/19 05:36 AM

Remaining Estimate	16h [ 57600 ]	15h [ 54000 ]
Time Spent		1h [ 3600 ]
Worklog Id	200670 [ 200670 ]

Permalink

Ramya Tantry (Inactive) logged work - 18/Sep/19 05:48 AM

Time Spent:

2h

Code changes

Ramya Tantry (Inactive) made changes - 18/Sep/19 05:48 AM

Remaining Estimate	15h [ 54000 ]	13h [ 46800 ]
Time Spent	1h [ 3600 ]	3h [ 10800 ]
Worklog Id	200954 [ 200954 ]

Permalink

Ramya Tantry (Inactive) logged work - 19/Sep/19 05:49 AM

Time Spent:

7.5h

Code changes

Discussion with Rohan

Testing

Hide

Permalink

Ramya Tantry (Inactive) added a comment - 19/Sep/19 05:49 AM

Areas impacted:

Admin preview -> changes done to view only and/or no rights field from developer tools -> Send
Candidate Review and Sign -> changes done to view only and/or no rights field from developer tools -> Submit/Decline
API : Custom create -> open link in browser -> changes done to view only and/or no rights field from developer tools -> Save

Implementation:

If previous JSON data is not present, form data is compared with database values. If manipulated data is found, it is replaced with database value.
If previous JSON data is present, form data is compared with previous JSON values. If manipulated data is found, it is replaced with previous JSON value.

We are reusing the functionality done for fetching history data but will need additional changes. So extending the estimates 16h to 24h

Show

Ramya Tantry (Inactive) added a comment - 19/Sep/19 05:49 AM Areas impacted: Admin preview -> changes done to view only and/or no rights field from developer tools -> Send Candidate Review and Sign -> changes done to view only and/or no rights field from developer tools -> Submit/Decline API : Custom create -> open link in browser -> changes done to view only and/or no rights field from developer tools -> Save Implementation: If previous JSON data is not present, form data is compared with database values. If manipulated data is found, it is replaced with database value. If previous JSON data is present, form data is compared with previous JSON values. If manipulated data is found, it is replaced with previous JSON value. We are reusing the functionality done for fetching history data but will need additional changes. So extending the estimates 16h to 24h

Ramya Tantry (Inactive) made changes - 19/Sep/19 05:50 AM

Remaining Estimate	13h [ 46800 ]	5.5h [ 19800 ]
Time Spent	3h [ 10800 ]	10.5h [ 37800 ]
Worklog Id	201279 [ 201279 ]

Ramya Tantry (Inactive) made changes - 19/Sep/19 05:51 AM

Remaining Estimate	5.5h [ 19800 ]	13.5h [ 48600 ]
Original Estimate	16h [ 57600 ]	24h [ 86400 ]

Permalink

Ramya Tantry (Inactive) logged work - 20/Sep/19 06:11 AM

Time Spent:

3.5h

Code changes

Ramya Tantry (Inactive) made changes - 20/Sep/19 06:11 AM

Remaining Estimate	13.5h [ 48600 ]	10h [ 36000 ]
Time Spent	10.5h [ 37800 ]	14h [ 50400 ]
Worklog Id	201529 [ 201529 ]

Ramya Tantry (Inactive) made changes - 22/Sep/19 08:55 PM

Status

In Progress [ 3 ]

To Do [ 10000 ]

Hide

Permalink

Ramya Tantry (Inactive) added a comment - 22/Sep/19 08:56 PM

Putting on hold as I am working on ~~DMS-1913~~.

Show

Ramya Tantry (Inactive) added a comment - 22/Sep/19 08:56 PM Putting on hold as I am working on DMS-1913 .

Ramya Tantry (Inactive) made changes - 23/Sep/19 09:07 PM

Status

To Do [ 10000 ]

In Progress [ 3 ]

Hide

Permalink

Ramya Tantry (Inactive) added a comment - 24/Sep/19 05:29 AM

Concern: Manipulated data of no rights and view only permissions was getting saved in JSON of the document.

Cause: The JSON data received from UI was getting saved into DB directly without it getting verified with the DB values. So in case if the data has been manipulated from DEV tools and saved, this data will be saved into DB as document JSON and the same will be fetched to candidate.This is data security breach.

Correction: While saving the JSON data, additional code changes have been done to verify -

If previous JSON data is not present, form data is compared with database values. If manipulated data is found, it is replaced with database value.
If previous JSON data is present, form data is compared with previous JSON values. If manipulated data is found, it is replaced with previous JSON value.

Files Affected:

DMS\DMS.App\src\DMS_AppLogic\BuisnessLogic\DocumentData.cs
DMS\DMS.App\src\DMS_AppLogic\BuisnessLogic\PersonData.cs
DMS\DMS.App\src\DMS_AppLogic\Common\HistoryData.cs
DMS\DMS.App\src\DMS_AppLogic\Common\IHistoryData.cs
DMS\DMS.App\src\DMS_AppLogic\Common\Routines\CommonRoutines.cs
DMS\DMS.App\src\DMS_AppLogic\Common\Routines\ICommonRoutines.cs
DMS\DMS.App\src\DMS_AppLogic\IntegrationLogic\CandidateProfile.cs
DMS\DMS.App\src\DMS_AppLogic\Repository\IDocumentRepository.cs
DMS\DMS.App\src\DMS_WebApi\Startup.cs
DMS\DMS.App\src\Entities\Document\FieldsDto.cs
DMS\DMS.Web\src\DMS_WebApp\ClientApp\src\app\candidate\document-review\document-review.component.ts

Show

Ramya Tantry (Inactive) added a comment - 24/Sep/19 05:29 AM Concern : Manipulated data of no rights and view only permissions was getting saved in JSON of the document. Cause : The JSON data received from UI was getting saved into DB directly without it getting verified with the DB values. So in case if the data has been manipulated from DEV tools and saved, this data will be saved into DB as document JSON and the same will be fetched to candidate.This is data security breach. Correction : While saving the JSON data, additional code changes have been done to verify - If previous JSON data is not present, form data is compared with database values. If manipulated data is found, it is replaced with database value. If previous JSON data is present, form data is compared with previous JSON values. If manipulated data is found, it is replaced with previous JSON value. Files Affected: DMS\DMS.App\src\DMS_AppLogic\BuisnessLogic\DocumentData.cs DMS\DMS.App\src\DMS_AppLogic\BuisnessLogic\PersonData.cs DMS\DMS.App\src\DMS_AppLogic\Common\HistoryData.cs DMS\DMS.App\src\DMS_AppLogic\Common\IHistoryData.cs DMS\DMS.App\src\DMS_AppLogic\Common\Routines\CommonRoutines.cs DMS\DMS.App\src\DMS_AppLogic\Common\Routines\ICommonRoutines.cs DMS\DMS.App\src\DMS_AppLogic\IntegrationLogic\CandidateProfile.cs DMS\DMS.App\src\DMS_AppLogic\Repository\IDocumentRepository.cs DMS\DMS.App\src\DMS_WebApi\Startup.cs DMS\DMS.App\src\Entities\Document\FieldsDto.cs DMS\DMS.Web\src\DMS_WebApp\ClientApp\src\app\candidate\document-review\document-review.component.ts

Permalink

Ramya Tantry (Inactive) logged work - 24/Sep/19 05:31 AM

Time Spent:

3.5h

Code changes

Testing

Draft reply

Ramya Tantry (Inactive) made changes - 24/Sep/19 05:31 AM

Remaining Estimate	10h [ 36000 ]	6.5h [ 23400 ]
Time Spent	14h [ 50400 ]	17.5h [ 63000 ]
Worklog Id	202091 [ 202091 ]

Ramya Tantry (Inactive) made changes - 24/Sep/19 09:20 PM

Status

In Progress [ 3 ]

Code Review [ 11801 ]

Ramya Tantry (Inactive) made changes - 24/Sep/19 09:21 PM

Assignee

Ramya Tantry [ ramya.tantry ]

Harshveer Singh [ harshveer.singh ]

Permalink

Ramya Tantry (Inactive) logged work - 25/Sep/19 05:36 AM

Time Spent:

1h

Jira updation

raise pr

Ramya Tantry (Inactive) made changes - 25/Sep/19 05:36 AM

Remaining Estimate	6.5h [ 23400 ]	5.5h [ 19800 ]
Time Spent	17.5h [ 63000 ]	18.5h [ 66600 ]
Worklog Id	202343 [ 202343 ]

Ramya Tantry (Inactive) made changes - 26/Sep/19 09:01 PM

Assignee

Harshveer Singh [ harshveer.singh ]

Ramya Tantry [ ramya.tantry ]

Ramya Tantry (Inactive) made changes - 26/Sep/19 09:01 PM

Status

Code Review [ 11801 ]

In Progress [ 3 ]

Permalink

Ramya Tantry (Inactive) logged work - 27/Sep/19 06:22 AM

Time Spent:

5.5h

Code changes

Ramya Tantry (Inactive) made changes - 27/Sep/19 06:22 AM

Remaining Estimate	5.5h [ 19800 ]	0h [ 0 ]
Time Spent	18.5h [ 66600 ]	24h [ 86400 ]
Worklog Id	202932 [ 202932 ]

ShashiKant Mishra (Inactive) made changes - 29/Sep/19 09:48 PM

Sprint

DMS - Gap Fall & Win Sprint 4 [ 179 ]

DMS - Gap Fall & Win Sprint 4, DMS - Gap Fall & Win Sprint 5 [ 179, 181 ]

Permalink

Ramya Tantry (Inactive) logged work - 29/Sep/19 10:50 PM

Time Spent:

2h

Code review changes and testing

Ramya Tantry (Inactive) made changes - 29/Sep/19 10:51 PM

Time Spent	24h [ 86400 ]	26h [ 93600 ]
Worklog Id	203160 [ 203160 ]

Ramya Tantry (Inactive) made changes - 29/Sep/19 10:51 PM

Status

In Progress [ 3 ]

Code Review [ 11801 ]

Ramya Tantry (Inactive) made changes - 29/Sep/19 10:51 PM

Assignee

Ramya Tantry [ ramya.tantry ]

Harshveer Singh [ harshveer.singh ]

Ashish Durani made changes - 01/Oct/19 12:32 AM

Status

Code Review [ 11801 ]

In QA Testing [ 11901 ]

Ashish Durani made changes - 01/Oct/19 12:32 AM

Assignee

Harshveer Singh [ harshveer.singh ]

Priya Dhamande [ priya.dhamande ]

Hide

Permalink

Priya Dhamande (Inactive) added a comment - 03/Oct/19 03:11 AM

No testing input required. So, marking jira done.

Show

Priya Dhamande (Inactive) added a comment - 03/Oct/19 03:11 AM No testing input required. So, marking jira done.

Priya Dhamande (Inactive) made changes - 03/Oct/19 03:11 AM

Resolution		Done [ 10000 ]
Status	In QA Testing [ 11901 ]	Done [ 10001 ]

Priya Dhamande (Inactive) made changes - 03/Oct/19 03:11 AM

Assignee

Priya Dhamande [ priya.dhamande ]

Rohan J Khandave [ rohan.khandave ]

Priya Dhamande (Inactive) made changes - 03/Oct/19 03:23 AM

Status

Done [ 10001 ]

In QA Testing [ 11901 ]

Priya Dhamande (Inactive) made changes - 03/Oct/19 03:23 AM

Assignee

Rohan J Khandave [ rohan.khandave ]

Priya Dhamande [ priya.dhamande ]

Priya Dhamande (Inactive) made changes - 10/Oct/19 05:49 AM

Status

In QA Testing [ 11901 ]

Done [ 10001 ]

Priya Dhamande (Inactive) made changes - 10/Oct/19 05:49 AM

Assignee

Priya Dhamande [ priya.dhamande ]

Ramya Tantry [ ramya.tantry ]

Samir made changes - 10/Oct/19 09:37 PM

Assignee

Ramya Tantry [ ramya.tantry ]

Rohan J Khandave [ rohan.khandave ]

Transition	Time In Source Status	Execution Times

Ramya Tantry (Inactive) made transition - 22/Sep/19 08:55 PM

In Progress

To Do

6d 20h 11m

Ramya Tantry (Inactive) made transition - 23/Sep/19 09:07 PM

To Do

In Progress

6d 37m

Ramya Tantry (Inactive) made transition - 26/Sep/19 09:01 PM

Code Review

In Progress

1d 23h 40m

Ramya Tantry (Inactive) made transition - 29/Sep/19 10:51 PM

In Progress

Code Review

4d 2h 3m

Ashish Durani made transition - 01/Oct/19 12:32 AM

Code Review

In QA Testing

1d 1h 40m

Priya Dhamande (Inactive) made transition - 03/Oct/19 03:23 AM

Done

In QA Testing

12m 34s

Priya Dhamande (Inactive) made transition - 10/Oct/19 05:49 AM

In QA Testing

Done

9d 5h 4m

People

Assignee:: Rohan J Khandave (Inactive)

Reporter:: Ramya Tantry (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 11/Sep/19 12:18 AM

Updated:: 10/Oct/19 09:37 PM

Resolved:: 03/Oct/19 03:11 AM

Time Tracking

Estimated:

24h

Remaining:

Logged:

26h