@burghard - Unfortunately it is not quite that simple.
Firstly read-only permissions could come in several (at least four) forms. (I am not saying that this is how Fabrik works, just explaining different types so that we can understand which type yours is.)
- The element's Access Level is r/w, it is written to the database on save, but the input field is made read-only but is still submitted to the server. Using javascript the value of this can be changed, and it can also be made r/w.
- The element's Access Level is r/w, it is written to the database on save, but the data is displayed to the user as text (non-editable) with a hidden field behind that is submitted to the server. Using javascript the value of this can be changed.
- The element's Access Level is r/o, it may or may not be written to the database on save, but the data is displayed to the user as text (non-editable). No value is submitted to the server, and if it is written to the database it will be only a server determined value.
- Although option 3. is ideal, it is possible that option 3 is actually implemented in HTML as option 2. and the server ignores the input field value because of the Access Level. This might be necessary e.g. if another calc field is based on this field.
In both cases 1. and 2., we definitely need to run
server validation even though the fields are read-only because a hacker could easily changes these fields to any values they want. If the field has Ajax validation set, then I cannot decide whether this makes sense to do or not. Clearly if the field doesn't change, then ajax validation won't run, but if it is changed by javascript and javascript fires the change event, then ajax validation will run - and this probably makes sense.
(Similarly if the field is an ajax calc field it still needs to be calculated on save because a hacker could have overridden an ajax calculation.)
Only in cases and 3. and 4. can we not do any validation.
Now depending on how you made your field read-only will decide which of the above options your field falls into. Did you do it with Access Levels or using e.g. the element's read-only option?