[DECLINED] UI let user change disabled fields

I’m submitting a…

  • [ ] Regression (a behavior that stopped working in a new release)
  • [X] Bug report
  • [ ] Performance issue
  • [ ] Documentation issue or request

Current behavior

I have flag some fields as disabled from the Schema definition.
When I click on a content in order to modify it I can see that those fields are correctly disabled. However, if I inspect the HTML source code of the page and I remove the disable flag from the HTML tag, I can easily modify those field. Finally, if I click the “save” button the client uncorrectly saves those modfication to the content. In this way, anyone potentially can modify every field of the contents.

Expected behavior

If I try to “hack” the view and modify a disabled parameter by modifying the HTML code, the client should visualize an error and, more important, must not save the modifications.


  • [ ] Self hosted with docker
  • [ ] Self hosted with IIS
  • [ ] Self hosted with other version
  • [X] Cloud version

It is by design so far or I decided to keep this feature simple. The squidex UI is tool for your team and If you have problems that somebody within your teams hacks the system you definitely have a big issue. He or she could potentially also create a client and update these fields with the API.

Thank you for the explanation.