Posted by ruben_vreeken on February 4, 2013 at 12:36pm
3 followers
Jump to:
| Project: | Entityforms |
| Version: | 7.x-1.0 |
| Component: | Code |
| Category: | bug report |
| Priority: | major |
| Assigned: | Unassigned |
| Status: | closed (cannot reproduce) |
Issue Summary
I've noticed a bug that's potentially quite serious. It seems anonymous users are able to submit forms to which they're not supposed to have access at all.
The settings:
- When editing an "Entityform type", in the "Access settings" tab there is a setting "Roles *".
In this list, I have checked "authenticated user" and "administrator". "anonymous user" is not checked. - When editing an "Entityform type", in the "Access settings" tab there is a setting "Form status".
This selectbox is set to "Open for new submissions".
The expected behaviour:
- Users that have one or more of the checked roles can access the entityform, fill it in, and submit it while the form is "open to new submissions".
- Anonymous users can not access the entityform, they cannot fill it in.
- If an anonymous user does finds a way to submit an entityform, the submission is be rejected with an error or access denied message.
What actually happens:
- Anonymous users can access the entityform, fill it in, and submit it.
- The submissions of these anonymous users get validated and saved without any errors, warnings or access denied messages.
Comments
#1
I'm working with tedbow on this issue. I was unable to replicate the issue on a fresh install of Drupal v7.19.
Please could you also try to reproduce the issue on a fresh Drupal install and let us know. Do you get the same results with the dev version?
#2
I'll try to reproduce the issue on a clean install. I do know the site that caused the problem runs on a slightly older version of Drupal.
It might take me a few days to find time to try and reproduce the error though.
#3
Cleaning up issues