As the title says is this possible? I have a project where, in certain scenarios, I need to disable a button on the page. I have set up a flag for it & do some checks in the controller & based on the flag set the button disabled accordingly. If the button is to be disabled it includes "disabled" if not there is no text as I found that disabled="enabled" still disabled the button.
My question is how do I stop some one from changing this through the F12 developer tools? I can load that up find the element & remove the disabled property & hey presto it is no longer disabled. How/can I stop this behaviour? Is there a way to make it more permanent than that?
I'm using System.Web.Mvc.dll v5.2.9.0
As others have mentioned, you can't control what other users are doing. If you are already checking in your controller if the button should be enabled, then the proper solution is to also disable the endpoint at the same time so nothing happens or it returns an error page if they click on it anyway.
As a side note: You are correct, it only cares if the word disabled is there. Disabled="disabled" is normally done to make it compatible with xhtml. It does not matter at all what is in the quotes. They are ignored.
Real code in our project:
if (!order.CanEdit())
return PartialView("_ErrorDialog", "Order cannot be edited.");
else if (!order.CanBeTransferred())
return PartialView("_ErrorDialog", "Invalid status. Cannot transfer this order");
else if (order.IsTransfer)
return PartialView("_ErrorDialog", "Cannot transfer an existing transfer.");
You should never depend on just the html to block functionality. Alternately, if this is all postbacks you could not just render the button disabled, you could change the action to #. That isn't fool proof though as someone could still attempt to call your endpoint directly.