Update statement ignores server-side logChanges

When a client sends a delta, the server tries to update all fields sent in the delta.

This means it trusts the client to send a correct delta.

I have a field that has ‘log changes’ disabled in the schema (because it became a calculated field in SQL).
When the field is sent anyway in the delta from a client (outdated browser app), the update fails.

I think the update mechanism should check the value of logChanges

      for i := 0 to (aDelta.LoggedFieldCount - 1) do begin
        remotename := aDelta.LoggedFieldNames[i];

        // If this is UnionSourceDataTable then we should do fields remapping
        if Assigned(lSrcTable) then begin
          if SameText(remotename, def_SourceTableFieldName) then Continue;
          remotename := _GetTableField(lSrcTable.ColumnMappings,remotename);
        end;

uDABusinessProcessor, GenerateSQL2 procedure: line 1140

        fld := aDataset.Fields.FieldByName(remotename);
        if ((fld.DataType in [datAutoInc,datLargeAutoInc]) and not usegenerators) // Skips autoincs on DBs like MSSQL
          or (fld.Calculated) or (fld.ReadOnly) or (fld.ServerCalculated) then Continue;

Should IMO be changed to:

        if ((fld.DataType in [datAutoInc,datLargeAutoInc]) and not usegenerators) // Skips autoincs on DBs like MSSQL
          or (fld.Calculated) or (fld.ReadOnly) or (fld.ServerCalculated)) or not fld.LogChanges then Continue;

The above is for the insert statement, but there are other places (update)

Since this mechanism can be abused to change fields that may not be changed by a malicious client,
this definitely needs to be looked at.

Thanks, logged as bugs://85767

bugs://85767 got closed with status fixed.