This is my way of reporting a security issue regarding computed RTF fields.

 

I'm using a form Form1 with two RTF fields

An attachment is manually (drag&drop) added to RTF1 and the document is saved and closed.

An agent changes form to Form2 which is identical to Form1 except that RTF1 is computed with value RTF1

When I open the document again I can still edit in RTF2 and RTF1 is ofcourse locked down.

 

EXCEPT : I can drag the attachment from RTF1 to RTF2 and it will indeed be _moved_

 

To make it easy for you to verify this issue I have released a test-nsf for you to play with :

go to gmail

login using joneast7@gmail.com with joneast77 as password.

download sample database containting 2 forms and one view

open database

press button "new test"

add file to top field named "Fält 1"

Close and save

select the new document

press button "switch form to Test2"

open your document in edit mode

note that the top field is now "read only" and bottom field is "open"

drag file from upper fild to lower field (answering the dialog "YES")

and BEHOLD, you have deleted an attachment form a read only field.

 

This issue was PMR:ed back in december 2011 (using 8.5.2/3) to no response #55635 113 848

This is a regression as version 7 works as designed.

 

Best regards

Jonas Österling