Is it possible to hack Angular 2 disabled input tag?

Issue

For example I have this part of code in my component’s template:

<input type="text" class="form-control" [(ngModel)]="profileUser.role" name="role" [disabled]="!isAdmin">

And in my component’s module I have:

if (this.currentUser.role == "Admin")
{
  this.isAdmin = true;
}

I want to give right to edit this input field only for those users, who have “Admin” role, and to disable this filed for other users (but to show them current value of profileUser.role).

Is it safe solution or it is possible to hack input tag properties and gain access to disabled field and than change its value and update it with Submit button.

If second statement is correct, please suggest the safest way to show such data on ngForm, bounded with ngModel two-way binding.

Solution

You must protect your data in both sides: client and server. Client code must control data output (but it can be hacked on client side in many ways) and data input – data validation.

But access to and storing of all vital data must be double-checked on server-side.

Answered By – Sergey Danishevskiy

Answer Checked By – Willingham (AngularFixing Volunteer)

Leave a Reply

Your email address will not be published.