We have moved to GitHub Issues
Created by Chriztian Steinmeier 04 May 2016, 12:27:08 Updated by Rick Mason 18 Jul 2018, 10:44:49
As an admin user I can create a number of forms and subsequently go to ''Forms Security'' to allow some of my Editors to manage these.
I can now observe the following:
I really don't like that an Admin User needs to remember to uncheck a checkbox for another user, to deny them access to a specific webform every time a new form is created.
What would be very nice to have, was some way to state these scenarios:
It seems Umbraco Forms has an overall permissions record for each user (Manage Forms, Manage Datasources etc) and per-user permissions records for each form (Access to form). If any permissions record is missing, as they are for new users and new forms, the default is to 'allow'. The default should be to 'deny'.
For anyone looking for a workaround until this is fixed, I have written some code which looks for any missing permissions records and sets them to 'deny'. Existing permissions, either 'allow' or 'deny', are preserved. Ideally the code would be run when a new user or form is created, but there don't seem to be events for either. Instead I plan to run it frequently using a scheduled task to call it as a web API:
The controller code for the entries viewer also has this assumption that data should not be secured:
//By default set to have access (in case we do not find the current user's per indivudal form security item) $scope.hasAccessToCurrentForm = true;
Backwards Compatible: True
Affected versions: 6.0.5
Due in version: