For the webform that I'm creating, it's important that I both (a) obscure the number of previous submissions and (b) allow editing privileges since I'm only allowing one submission per user.
A little background: I've determined that it's relatively easy to obscure the number of submissions in the URL by using Clean URLs and forwarding to a confirmation page. If I allow users to edit their submissions, however, the SID of the submission is shown in the URL -- and the user could determine the number of submissions using that SID.
My simplest idea was to simply obfuscate the actual SID by inserting a large number into the URL wherever the SID usually appears. For example, if the SID = 15,
www.example.com/mywebform/submission/42839115/edit?destination=node/1/submissions
Is this easy to implement? My PHP isn't so great, so I couldn't figure it out. Any help would be much appreciated!
Thanks for all of your work on this quicksketch, et al.
woop
NB: The goal here isn't to make the webform invulnerable against Anonymous attacks, so any help with the question at hand would be wonderful.
Comments
Comment #1
woop_light commentedComment #2
woop_light commentedAny ideas on this? They would be much appreciated!
Comment #3
woop_light commentedI tried tinkering with the PHP for a bit, but it keeps breaking the module. Is this an easy thing to implement?
Comment #4
woop_light commented$20 bounty?
Comment #5
quicksketchIf you just want to use a big number, just insert a row manually into the webform_submissions table with a big number. Subsequent insertions will be numerically incremented after that high number.
In Webform 4.x, users aren't allowed to view the submissions of other anonymous users because a hash key is also added to the URL that must match the submission ID.
Comment #6
woop_light commentedShucks I feel pretty dumb and $20 poorer. Worked perfectly - Thanks!
Comment #7
quicksketchThanks @woop_light. You're an honest man. :)