Applies to Product - Microsoft Dataverse
What’s happening?
The system allows modifications to the File field of a completed Activity record through the API, which is contrary to the expectation that such fields should be read-only once the activity is marked as complete.
Reason:
This behavior is expected in Dynamics 365 CRM, where completed activity records become read-only in the CRM user interface but can still be updated programmatically via the API. This allows for automated processes or integrations to modify completed activities.
Resolution:
To restrict updates to completed activity records through the API, implement the following custom solution:
1. Create a Plugin: Develop a plugin that triggers on the Update message for the activity entity. In the plugin code, check if the activity status is marked as completed. If it is, throw an exception to prevent the update.
2. Register the Plugin: Register the plugin on the Update message for the activity entity using the Plugin Registration Tool. Ensure that the plugin is registered in the appropriate stage to intercept the update request before it is processed.
This approach ensures that once an activity is marked as complete, it cannot be updated through any means, including the API, thus addressing the security concern identified during penetration testing.
