Re-enabling Buttons, Link Buttons, Links

Question

I've scoured for a solution to this, but, oddly, I can find nothing related to this potentially very serious issue as I see it. When I disable a button, link button, or link, I do so with the intention that a user cannot click that link and perform the underlying action because it's against my business rules. However, I've found that I can simply hit F12, open developer tools, and modify the disabled button in order to enable it. It doesn't matter whether I disable the button in JavaScript or in code behind, the end resulting tag is pretty much the same. All I have to do is to remove the "disabled" attribute and, in the case of an ASP button, also remove the class attribute. And presto! I can now click the button. Scary. Does anyone have a solution to this?

Answer 1

The solution is to have some form server side security in place as well as client side 'control'.

For example, you would perhaps authenticate the user and pull a set of functions they have access to from a database. These you could store somewhere server side, perhaps in session during the duration of the users visit.

When they attempt to perform an action, you need to check that action against the list of available actions to see if they have permissions. They cannot tinker with the server side security in the same way as they could enable a button.

In ASP.Net this is commonly done with attributes or different types, perhaps only allowing users in a certain role to access particular pages, controllers, actions, methods etc.

Answer 2

You have no control over what HTTP requests will be sent to your server.

Always do your security / sanity / data integrity / authentication / authorization / business rule enforcement / etc checks on the server.

Anything you do on the client is only there for the convenience of the user. You cannot make the browser enforce your security because the user owns the browser.