Rukovoditel Support Forum

Very glad to hear that!

Do you think that you could upload changed files here as you usually do when preparing fixes? It would be much appreciated and believe that not only by me!

It is great that you can hide fields using Display Fields Rules (https://docs.rukovoditel.net/index.php?p=112).

And it would even greater if it was possible to hide tabs. Or alternatively, if the tab would hide automatically in case all fields in the tab were hidden.

When adding or editing fields of subentity in nested form the values in checkboxes and dropdown with multi-select are not saved. I have created a video showing the problem: here In my example on the video the fields in nested forms are: employee - field type entity - dropdown - works correctly roles...

I am trying Rukovoditel's extension demo and noticed that if I copy selected records (actions with selected) this change does not appear in the change history.

I don't agree with that. Too many IF. 1) If you download hack file 2) If you run it. 3) if you logged 4) if you have access then it can run some actions. The only thing you really need to hack any Rukovoditel is to know the URL. For 1+2 it is enough to just open a link with malicious code in the br...

@support Is there a way to allows users to use WYSIWYG textarea and at the same disable iframe?

Well, I have briefly checked codes of some modules and there is function app_check_form_token() to protect some actions against csrf. The problem is that it is used only somewhere but surely not everywhere. Even after the fix uploaded by support to the other thread, there are a lot of forms and acti...

@support Thanks for preparing the fix, it seems that this exact vulnerability is fixed by it. But I think there are other forms still highly vulnerable by this exact technique. You use function app_check_form_token() to protect action from being abused by csrf. Bu only some actions are protected, ot...

My comment from https://forum.rukovoditel.net/viewtopic.php?f=19&t=2760 applies also here. Another probable critical security bug. Sergei, it seems to me that you might not be familiar with the concept of CSRF attack. This looks like a HUGE problem as it seems that the whole app is maybe not pro...

This looks like a critical security bug requiring an immediate patch. Typical basic CSRF vulnerability. It does not matter that attacker is not logged in, the problem is that attacker can easily achieve that the script is activated by a logged-in user, e.g. by sending the admin a link to a malicious...