CON-1496 - Form fields can be marked as sensitive

Created by Shannon Deminick 05 Feb 2018, 10:42:24 Updated by Jacob Midtgaard-Olesen 16 Mar 2018, 08:01:02

Relates to: CON-1490

Subtask of: U4-10796

This will require re-targeting Forms to a min version of 7.9.0 - this means we will release a new major version of Forms.

To determine if a user has access to sensitive data, there's a new IUser extension method in 7.9.0 which checks for a User Group

*Any form field can be marked as 'sensitive' (possibly borrowing any UI/messaging that now exists in 7.9) *Front end logic needs to exist for editing a form - if the user does not have access to Sensitive values, then they cannot modify the sensitive value flag *Back end logic needs to exist for editing a form - if the user does not have access to Sensitive values, then they cannot modify the sensitive value flag - we need to validate this on the server so it cannot be hacked

Comments

Warren Buckley 12 Feb 2018, 12:36:32

PR for this is here - https://github.com/umbraco/Forms/pull/180

Test Notes

*Requires you use Umbraco 7.9 for this to work *In your Umbraco install of 7.9 (ensure you have 2 users, one in and one not in the sensitive data group) *Create a NEW form as user who has access and create a form with more or fields marked as sensitive *Log out & switch users **Can you see the fields indicated with a lock & text above each field preview that were marked as sensitive? **Verify you cannot see the option in the field settings overlay to toggle/change the value

*Try & hack a request where the JSON payload to test & verify the serverside validation checks for a user who does not have access: **New Forms created can not contain ANY fields marked as sensitive **Updating an existing form field that was previously marked as sensitive to now not be **Adding a new form field to the design/form & marking that new field as sensitive data


Shannon Deminick 14 Feb 2018, 02:21:18

Great work!


Priority: Normal

Type: Task

State: Fixed

Assignee:

Difficulty:

Category:

Backwards Compatible: False

Fix Submitted:

Affected versions:

Due in version: 7.0.0

Sprint: Sprint 78

Story Points: 5

Cycle: 8