Good morning all,
I know this is not K2 specific but I wonder if any of you have seen this issue before. Apparently you can completely subvert item level permissions on an InfoPath form if you know the forms URL.
Here are the steps to reproduce:
To reproduce this,
1. Submit a form to a form library using a regular account (user1).
2. Select the item which opens the form in the browser.
3. Copy the URL to the clipboard.
4. Using an admin account, break list item permission inheritance and remove all permissions for user1.
5. Switch back to user1.
6. Paste the URL into the browser and try to open the form.
I am guessing the form will open with zero issues. Another one of my companies consultants at our Houston office noticed this issue and emailed an internal distribution group, and I decided to test it in a vanilla SharePoint/K2 install instance and it worked as described in his email. Have any of you seen this before or possibly know a work-around?
The Houston consultant was able to somewhat workaround by using code-behind in the InfoPath form, however I don't think that will work in my situation since I have to rely on browser based IP forms.