|Status:||closed (cannot reproduce)|
I've noticed a bug that's potentially quite serious. It seems anonymous users are able to submit forms to which they're not supposed to have access at all.
- When editing an "Entityform type", in the "Access settings" tab there is a setting "Roles *".
In this list, I have checked "authenticated user" and "administrator". "anonymous user" is not checked.
- When editing an "Entityform type", in the "Access settings" tab there is a setting "Form status".
This selectbox is set to "Open for new submissions".
The expected behaviour:
- Users that have one or more of the checked roles can access the entityform, fill it in, and submit it while the form is "open to new submissions".
- Anonymous users can not access the entityform, they cannot fill it in.
- If an anonymous user does finds a way to submit an entityform, the submission is be rejected with an error or access denied message.
What actually happens:
- Anonymous users can access the entityform, fill it in, and submit it.
- The submissions of these anonymous users get validated and saved without any errors, warnings or access denied messages.