Skip to main content

Good morning all,


 I know this is not K2 specific but I wonder if any of you have seen this issue before.  Apparently you can completely subvert item level permissions on an InfoPath form if you know the forms URL. 


 Here are the steps to reproduce:



      To reproduce this,

      1. Submit a form to a form library using a regular account (user1).

      2. Select the item which opens the form in the browser.

      3. Copy the URL to the clipboard.

      4. Using an admin account, break list item permission inheritance and remove all permissions for user1.

      5. Switch back to user1.

      6. Paste the URL into the browser and try to open the form.


I am guessing the form will open with zero issues.  Another one of my companies consultants at our Houston office noticed this issue and emailed an internal distribution group, and I decided to test it in a vanilla SharePoint/K2 install instance and it worked as described in his email.  Have any of you seen this before or possibly know a work-around?


The Houston consultant was able to somewhat workaround by using code-behind in the InfoPath form, however I don't think that will work in my situation since I have to rely on browser based IP forms.




 

From an InfoPath side, my I guess is that you will need to take the measures as described by the Consultant.

From a K2 point of view however, I don't think you have too much to worry about. When the IP form is opened, the list of Actions are retrieved from the K2 Server, which in turn will enforce security to validate if the user can indeed action the item. If it is not the Destination User, the list will be empty and they will get an error trying to submit. 

You can probably use this also to change the view, but if the user is smart enough to get the XML, they probably will be able to at least view the XML. 

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings