I'm trying to make an webform pre-filled data from db and disable most of them while only allowing user to re enter certain fields. I was simply setting unallowed fields as disabled but I found out that if you remove that attribute from the tag you can modify it at will.
My question is that, is user modification using dev console a sort of sandbox that's only effective on their end, or are they able to post data with their modified forms? If so, I'm going to have to take a different approach.
Think about verifing the data from the database, or simply show these data as plain text instead of disabled input form.