[en] TS001839266 — API call table update for read only Input Form
[en] Fixed: Resolved an issue where a user with a restricted role can update, add or delete table rows using RestAPI calls using a read only Input Form for that table.
[en] Reproduction Steps
[en] 1. Log in to the admin client.
[en] 2. From Composer, create a custom table with two columns. Add some rows with data.
[en] 3. Go to Admin > User and Permissions > Add new role.
[en] 4. Assign view only access to the new role.
[en] 5. Select the model > Model Options > Add User. Assign the user to the new role.
[en] 6. From Composer, select the table from step 2 > Show More > Input Forms > Add Input Form.
[en] 7. Edit the Input Form and make the columns Read Only.
[en] 8. Ensure the role created in step 3 has permissions for the input form.
[en] 8. Update the table using an API call.
[en] The result is the user is able to edit tables using API calls when a user with read only permissions should not be able to edit tables in the admin client.