New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Form metadata API doesn't return library forms unless user is admin #3919

Closed
ebruchez opened this Issue Jan 31, 2019 · 2 comments

Comments

1 participant
@ebruchez
Copy link
Collaborator

ebruchez commented Jan 31, 2019

This API was done initially for the Home page, and the logic is that if you are a regular user, that is not an admin user, we need to filter out certain forms, including:

  • library forms
  • forms on which the user cannot perform any operations
  • unavailable forms

If the user is "admin", that is the user has all permissions for all forms or explicitly all permissions for the given form, then the forms are returned without any filtering at all.

Now, when we use Form Builder in the context of publishing a form definition or listing the existing library forms in the toolbox (#3885), we call the API explicitly for a library form.

If in this case we haven't configured form-builder-permissions.xml to allow all operations on library forms, then the API doesn't return any information about the form. This is incorrect for publishing as well as for the toolbox usage.

For backward compatibility, the assumption, when using Form Builder without explicit form-builder-permissions.xml, is that all operations are permitted: creating forms, saving forms, publishing forms, etc.

This raises a few questions:

  • What to do with this API when requesting library forms from Form Builder?
  • More generally, what to do in the case where you might have runtime permissions enabled for a form and Form Builder without any particular operations for that form configured in form-builder-permissions.xml.
  • Finally, even if form-builder-permissions.xml is configured, should something special happen for library forms when information about them is requested from Form Builder?

@ebruchez ebruchez self-assigned this Jan 31, 2019

@ebruchez ebruchez added this to Todo in Orbeon Forms 2018.1.4 via automation Jan 31, 2019

@ebruchez ebruchez added this to To review in Orbeon Forms 2019.1 via automation Jan 31, 2019

@ebruchez ebruchez added this to To review in Orbeon Forms 2018.2.1 via automation Jan 31, 2019

@ebruchez

This comment has been minimized.

Copy link
Collaborator Author

ebruchez commented Jan 31, 2019

The simplest solution is to pass a new URL parameter, all-forms=true, which requires the API to not filter the form definitions. This would be passed by Form Builder as the caller.

I don't think that this is a security issue. The filtering is done by the API for the convenience of the Home page, essentially. The API itself is not open by default.

  • implement all-forms=true, which is false by default
  • Form Builder uses all-forms=true for publishing
  • Form Builder uses all-forms=true for the toolbox
  • the Import page on the other hand follows permissions and doesn't use all-forms=true
  • doc
@ebruchez

This comment has been minimized.

Copy link
Collaborator Author

ebruchez commented Jan 31, 2019

@ebruchez ebruchez closed this Jan 31, 2019

@ebruchez ebruchez added this to Done in Orbeon Forms 2017.2.3 via automation Jan 31, 2019

Orbeon Forms 2019.1 automation moved this from To review to Done Jan 31, 2019

Orbeon Forms 2018.1.4 automation moved this from Todo to Done Jan 31, 2019

Orbeon Forms 2018.2.1 automation moved this from To review to Done Jan 31, 2019

avernet added a commit that referenced this issue Feb 2, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment