When a client sends a delta, the server tries to update all fields sent in the delta.
This means it trusts the client to send a correct delta.
I have a field that has ‘log changes’ disabled in the schema (because it became a calculated field in SQL).
When the field is sent anyway in the delta from a client (outdated browser app), the update fails.
I think the update mechanism should check the value of logChanges
for i := 0 to (aDelta.LoggedFieldCount - 1) do begin
remotename := aDelta.LoggedFieldNames[i];
// If this is UnionSourceDataTable then we should do fields remapping
if Assigned(lSrcTable) then begin
if SameText(remotename, def_SourceTableFieldName) then Continue;
remotename := _GetTableField(lSrcTable.ColumnMappings,remotename);
end;
uDABusinessProcessor, GenerateSQL2 procedure: line 1140
fld := aDataset.Fields.FieldByName(remotename);
if ((fld.DataType in [datAutoInc,datLargeAutoInc]) and not usegenerators) // Skips autoincs on DBs like MSSQL
or (fld.Calculated) or (fld.ReadOnly) or (fld.ServerCalculated) then Continue;
Should IMO be changed to:
if ((fld.DataType in [datAutoInc,datLargeAutoInc]) and not usegenerators) // Skips autoincs on DBs like MSSQL
or (fld.Calculated) or (fld.ReadOnly) or (fld.ServerCalculated)) or not fld.LogChanges then Continue;
The above is for the insert statement, but there are other places (update)
Since this mechanism can be abused to change fields that may not be changed by a malicious client,
this definitely needs to be looked at.