Editor can't view forms

[bjornnorlen]

Hi
We've built a website solution for a client using Umbraco 9. This client own multiple other companies and all these companies are hosted in the same solution, but each company has only access to their own website in the content tree, media and forms section. However, we've noticed that Umbraco forms is behaving strange. An account we have configured for testing should be able to view all forms where "has access" is enabled in the forms security section but the account can't see or view any forms its user group has access to. No user permissions for Umbraco forms have been configured for that account.

Bug summary

The test account does is member of the groups "Shared resources" and "Vitec Aloc Admin":

At the groups permissions level under forms security, the Vitec Aloc Admin group has enabled all properties from "Manage forms" at the top to "Manage prevalue sources" at the bottom. This group does not have any start folder selected for Umbraco forms and under Forms security the user group has access to maybe 75% of the forms created:

However, the account can't view any of the forms except those itself has created:

Since the user group didn't have any start node selected shouldn't the form be created at the root level of Umbraco forms? Now it was created in another folder:

In appsettings.json in Forms.Security we have specified the following properties:

"Security": { "DisallowedFileUploadExtensions": "config,exe,dll,asp,aspx", "EnableAntiForgeryToken": true, "SavePlainTextPasswords": false, "DisableFileUploadAccessProtection": false, "DefaultAccessToNewForms": "Grant", "ManageSecurityWithUserGroups": true, "GrantAccessToNewFormsForUserGroups": "{all user groups aliases in Umbraco}" }

Specifics

• Umbraco 9.5.4
• Umbraco forms 9.4.2

Expected result

When not specifying an Umbraco forms start node on a user group, a user of that group should be able to view all folders and forms that has the "has access" property enabled.

Actual result

A user can only view the forms itself has created and forms seem to be created in a random folder, not in the root.

[AndyButland]

Just to make sure I can properly replicate when looking at this, could you confirm if this account also has an individual user account for Forms security please? In other words, as well as their group have a node under Forms Security > Group Permissions, is there a node for the user under Forms Security > User Permissions?

If there is, you likely want to remove that such that the permissions for the user are defined solely via the groups they are part of.

[bjornnorlen]

@AndyButland No exactly, there is no node for that user under Forms Security > User Permissions, it only has the permissions it receives from Forms Security > Group Permissions.

[AndyButland]

I've tried to replicate this from a clean install. I can't see the issue but it's probably worth me replaying what I've done so perhaps you can spot what's different in your setup.

• New install of the same CMS and Forms versions
• Configured with "ManageSecurityWithUserGroups": true
• Removed access to the Forms section from the "Editors" group
• Created a new user group, called "Forms", and given access to the Forms section
• Under Users > Forms Security > Group Permissions given the "Manage Forms" permission to the "Forms" user group.
• Created a user and added them to the "Editors" and "Forms" groups.
• Created a couple of folders under the root.
• Logged in as that user, created a form and found it created as expected under the root.

From your description and screenshots, it looks like the user you are logging in with does have a start folder defined - which is why the forms are created under the folder "DocuBizz". So the mystery is where that is coming from.

I'm assuming you don't see one defined when you view the Users > Form Security > Group Permissions > Vitec Aloc Admin page? I.e. it looks like this:

If not, my last thought is that it could be is that you have a user start folder defined for this user, but don't see it in the UI due to having removed their user permission record.

At the database level, you could check this with:

SELECT * FROM UFUserSecurity
WHERE [User] = (
	SELECT id
	FROM umbracoUser
	WHERE userName = 'Teknikhuset'
)

SELECT * FROM UFUserStartFolders
WHERE UserId = (
	SELECT id
	FROM umbracoUser
	WHERE userName = 'Teknikhuset'
)

There should be no records found, but perhaps the latter query is returning one.

So you could try this:

• Navigate to Users > Form Security > Group Permissions and create a new user permission record for the user in question.
• Ensure the record has no start folders defined, and save it.
• Delete the record again.

That should ensure any start folders defined for the user are removed.

[AndyButland]

Closing this one now due to lack of further activity and hopefully a resolution being provided in the comment above.