cfme is vulnerable to authorization bypass. The read-only widgets can be edited by inspecting the forms and dropping the disabled attribute from the fields since there is no server-side validation. This business logic flaw violates the expected behavior.