CON-1022 - New users should not be granted access to manage and view all forms

Created by Chriztian Steinmeier 04 May 2016, 12:27:08 Updated by Rick Mason 18 Jul 2018, 10:44:49

My scenario:

As an admin user I can create a number of forms and subsequently go to ''Forms Security'' to allow some of my Editors to manage these.

I can now observe the following:

  • When I create new form all other users with access to Forms can see and edit that form
  • When an Editor creates a new form all other editors have acces to that form

I really don't like that an Admin User needs to remember to uncheck a checkbox for another user, to deny them access to a specific webform every time a new form is created.

What would be very nice to have, was some way to state these scenarios:

  • Grant this user access to all forms
  • Grant this user access to these specific forms:
  • Grant this user access to these specific forms. Additionally, allow them to create new forms.

/Chriztian

Comments

Rick Mason 22 Dec 2017, 11:56:44

It seems Umbraco Forms has an overall permissions record for each user (Manage Forms, Manage Datasources etc) and per-user permissions records for each form (Access to form). If any permissions record is missing, as they are for new users and new forms, the default is to 'allow'. The default should be to 'deny'.

For anyone looking for a workaround until this is fixed, I have written some code which looks for any missing permissions records and sets them to 'deny'. Existing permissions, either 'allow' or 'deny', are preserved. Ideally the code would be run when a new user or form is created, but there don't seem to be events for either. Instead I plan to run it frequently using a scheduled task to call it as a web API:

https://github.com/east-sussex-county-council/Escc.Umbraco.Forms/ https://www.nuget.org/packages?q=Escc.Umbraco.Forms


Rick Mason 18 Jul 2018, 10:44:49

The controller code for the entries viewer also has this assumption that data should not be secured:

//By default set to have access (in case we do not find the current user's per indivudal form security item) $scope.hasAccessToCurrentForm = true;


Priority: Normal

Type: Bug

State: Submitted

Assignee:

Difficulty:

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions: 6.0.5

Due in version:

Sprint:

Story Points:

Cycle: