Hi,
Not sure if I'm using this correctly, but there seems to be a problem with the confirmation page: Anonymous user can see other user's confirmation page by changing the sid query parameter, if any submitted data is displayed on confirmation page (for example, submitted email), this would present a security problem.
Setup:
1. Webform permissions: Uncheck all for anonymous users (anonymous user does have access node permission)
2. Add webform node with an email field:
-- Confirmation message or redirect URL:
<?php
include_once(drupal_get_path('module', 'webform') .'/webform_submissions.inc');
$nid = arg(1); // need to hard-code nid if this is a custom page
$sid = $_GET['sid'];
$submission = webform_get_submission($nid, $sid);
$email = $submission->data[1]['value'][0];
?>
Form submitted to <?php print $email;?>.
-- Roles that can submit this webform: Check both anonymous and authenticated user
Test:
-- Logout and go to the webform as anonymous user
-- Fill in email, submit, the page goes to /node/1/done?sid=3, confirmation message is displayed
-- Start another browser, put /node/1/done?sid=3 in the address line and go, you can see the confirmation message with the submitted email even though you didn't submit the form in this browser
It looks to me that sid or some other unique token should be passed via session to confirmation page in order to ensure the page is only displayed for the user who submitted the form.
Comments
Comment #1
quicksketchIt's not a bug or a security problem caused by Webform that you're describing, so I'm moving this to a support request.
Yes there's definitely a privacy problem in the code you're describing. In order to make it more secure, you should perform some sort of validation to make sure that the user viewing the data and the person that submitted the data are the same person. Something like this should help:
Note that this particular example only works for registered users. Anonymous users may also be assigned a cookie (if you have that setting enabled at admin/settings/webform), which you can use to help identify Anonymous user submissions.
Comment #2
jrao commentedOk, thanks for the explanation. Currently I'm storing the submitted email in session and check it in confirmation to secure the page, but it seems to me this function should be part of the webform especially if a general solution like using the cookie exists (I'm not quite sure how to do this though).
Comment #3
quicksketchPerhaps this is what you're describing: #435232: Summary/review/preview page before final submission in multistep forms. Note that you can also theme your submission pages by overridding the webform-confirmation.tpl.php file. See THEMING.txt for more info on that.
Comment #4
quicksketchComment #5
charlie-s commentedThere seems to be a bug in this logic. If I set a webform to be visible only to authenticated users, I'm expecting some form of privacy -- especially when I set the permission for an authenticated user to only be able to view their own submissions. But anyone who is logged in can go to node/1234/done?sid=5678 and see other's results.
I'm currently combating this issue on the theme level, which will work for my development purposes, although I'm not clear as to why this is the expected behavior. This is my webform-confirmation.tpl.php file, located in my theme, that achieves the expected behavior: