New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New users should not be granted access to manage and view all forms #12
Comments
+1 for this request. It renders Umbraco Forms pretty useless in a multi-site situation giving all users access to all forms that are created. We only just discovered this, and it's surprising to see that all users would always get all permissions to all forms. Rick, thanks for your workaround. I did hunt down and change $scope.hasAccessToCurrentForm = false; That didn't seem to have an affect on newly created forms. I was walking through your code here, and it looks like it all boils down to line 220 of https://github.com/east-sussex-county-council/Escc.Umbraco.Forms/blob/master/Escc.Umbraco.Forms.Security/UmbracoFormsSecurity.cs So given this use case. There are 2 existing forms, User A has 1 form, User B has 1 form. User A then creates a new form. User B will have access to User A's form (they are different clients, yikes). But when exactly will Umbraco Forms create the User Form permission records you mentioned? Or rather, how are you differentiating between "existing permissions" and newly created forms? |
@marcond05 My code looks at each user and each form, and checks for a permissions record. If it finds anything it leaves it alone - that's how it preserves existing permissions. If it finds nothing then the permissions for that user have never been set, and unfortunately the default is to allow, so it creates a deny record. To answer your question the first way, User B will have access to User A's form from the moment it's created until the moment my workaround runs (or permissions are set manually). That's why I recommend running it regularly, to reduce that exposure. On a big site it takes a while to run though so you can't run it frequently enough to completely eliminate the chance that User B will see User A's form. To Umbraco HQ: I think this should be a fairly quick fix. It doesn't require radical changes to the permissions system, just a change to the default behaviour when no permissions are present. |
Thanks @sussexrick , I see what you mean now. For anyone else arriving at this issue cold, here is precisely what happens:
The user doesn't even have to visit the form itself, just click on the root /umbraco/#/forms url and that user will have access to the form. Have you tried addressing this with plane ole' SQL script by chance? I have done Syncing processes and ended up modifying revision nodes directly as the Umbraco services tend to be a little slow on recurring processes like this. PS - I arrived at your ticket after Umbraco Forms team told me to put a feature request in. But considering you originally raised this issue in 2016 I think we may end up doing something similar to your workaround :) |
No I haven't tried using SQL directly. I stick to APIs when I can to insure against changes between versions. If you can fork and improve my workaround rather than starting from scratch then please do. I was made aware that there are FormStorage.Saving / .Saved events that might speed things up, but I haven't had a chance to revisit it. I'm not sure whether it helps because the "new user" case would still require a regular sweep of the site. |
Thanks @sussexrick . That's interesting, support just told me there were no events. But I think he was referencing the documentation, which I think only covers the fluffy front-end stuff for developers. I have a feeling those events are more geared toward actual form submissions, not form management, but I would love to be wrong. Events would certainly be a cleaner solution. Although hopefully we can get a Default permission behavior on forms some day. I will let you know what I come up with, but much appreciated for your efforts and putting this post & code together! 👍 I will send this over to the Support fellow, as he told me to put a ticket in. Cheers, |
Probably related to issue #3, as 'Manage Forms' is required to even view the entries. |
+1 for this request, the default should be that users are not granted access to manage and view all forms |
+1 for this (as of Forms 8.4.0) - especially when there's no "check all/uncheck all" box on the Forms permissions page, and we have about 50 - 60 forms. |
Just adding these snippets here in case it helps workaround this issue, or help consider a fix: It's possible to tap into the formstorage_created event that fires when a new form is created, and loop through all users to add a deny record to the new form for each user...
and the other way around you can tap into the User Saved event (there isn't a first time create event for User), and add a deny record for all forms for the new user:
So you can sort of see 'this approach works' but it's not super scalable if there are a 1000 users or 1000 forms!- what would be great would be to perhaps have bulk insert options for UserFormSecurityStorage that would allow you to insert instruction to multiple users for a form, or multiple forms for a user, with a single SQL command... The other thing would be handy would be having a Created event for Users which had the Groups populated. Also, there is a real world scenario where users shouldn't have access to manage forms - but should have access to view and export entries from individual forms, but perhaps that's a separate issue. |
Hiya @sussexrick, Just wanted to let you know that we noticed that this issue got a bit stale and might not be relevant any more. We will close this issue for now but we're happy to open it up again if you think it's still relevant (for example: it's a feature request that's not yet implemented, or it's a bug that's not yet been fixed). To open it this issue up again, you can write For example:
This will reopen the issue in the next few hours. Thanks, from your friendly Umbraco GitHub bot 🤖 🙂 |
Fixing this will be part of overhauling the Forms permissions and making sure managing and viewing forms are separated,, which is already discussed in #3. |
Due in the next minor release, 8.11.0 and 9.3.0. |
+1 for this - especially when there's no "check all/uncheck all" box on the Forms permissions page, and we have about 50 - 60 forms. Currently using: |
First reported as http://issues.umbraco.org/issue/CON-1022 on Umbraco 7.6.12 and Forms 6.0.5.
When a new form is created all other users with access to Forms can see and edit that form. When a new user is created they have access to all forms.
It seems Umbraco Forms has an overall permissions record for each user (Manage Forms, Manage Datasources etc) and per-user permissions records for each form (Access to form). If any permissions record is missing, as they are for new users and new forms, the default is to 'allow'. The default should be to 'deny'.
For anyone looking for a workaround until this is fixed, I have written some code which looks for any missing permissions records and sets them to 'deny'. Existing permissions, either 'allow' or 'deny', are preserved. Ideally the code would be run when a new user or form is created, but there don't seem to be events for either. Instead I plan to run it frequently using a scheduled task to call it as a web API:
https://github.com/east-sussex-county-council/Escc.Umbraco.Forms/
https://www.nuget.org/packages?q=Escc.Umbraco.Forms
The controller code for the entries viewer also has this assumption that data should not be secured:
The text was updated successfully, but these errors were encountered: