Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent users from opening and filling forms they're not authorized to see/fill #6505

Closed
Tracked by #88
dianabarsan opened this issue Jun 19, 2020 · 3 comments
Closed
Tracked by #88
Assignees
Labels
Type: Security Affects security
Milestone

Comments

@dianabarsan
Copy link
Member

What feature do you want to improve?
We currently filter the report forms we display as available actions in the actionbar to the ones that the user is authorized to see (via the context.permissions property in the forms document).
With #6401, we also filter the create contact forms in a similar manner.
However, if a user accesses the form (be it contact or report form) by typing a valid URL that opens said form, we have no mechanism in place to authorize this action.

Describe the improvement you'd like
We could display an error screen, similar to the ones where the form fails to load, informing the user they're not authorized to complete the action.

Describe alternatives you've considered
Alternatively we could redirect the user to a "valid" page directly, and show a popup.

Additional context
We could, potentially, also apply this to edits (both of contacts AND reports).

@garethbowen
Copy link
Member

garethbowen commented Jun 21, 2020

We could, potentially, also apply this to edits (both of contacts AND reports).

I think it should also apply to edits. Additionally, we should display an error if the user doesn't have the can_edit permission as in this issue: #6215

@latin-panda
Copy link
Contributor

Documentation about form's context.permission

latin-panda added a commit that referenced this issue May 17, 2023
Adds checks to verify that report and contact forms can't be accessed by URL if the `context.permission` and `context.expression` doesn't match.
@latin-panda
Copy link
Contributor

Merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Type: Security Affects security
Projects
Status: Done
Development

No branches or pull requests

3 participants