K2 Smartforms Security - Prying eyes can see all completed forms...

S
Userlevel 3
Badge +16

Hi all,

 

Wanted to ask about K2 smartforms security...

 

I am working on a sensative form, that once has been submitted, only a Manager should be able to edit afterwards.

 

In the email sent to the manager, i send a link to the completed form using form parameter passing i.e. myform/?FormID=5 for example

 

However, i just tried the link using a logged standard user (who is not a manager) and has no connection with the form, and just put URL is with the myform/?FormID=5 and it loaded up....

 

How can i ensure that only a designated manager/Manager group only access the completed form and that no Tom, **bleep** or Harry can access it...

Also, changing the FormID number to any other number also allows access to it...

 

For this form to pass, i must have the following to be 100%

 

1) ANYONE can access and complete the Form

2) ONLY the Manager/Manager group can access the completed form via the link ending in FormID=xxx

 

I assumed this would be default security, but it obviously isn't...

 

Can anyone advise please?

 

Thanks as anyways

9 replies

Albarghouthy
Userlevel 5
Badge +16

Hi Sharpharp1,

 

You can add a condition on the form initialize rule to get the current user's group.

 

for example:

 

get groupsByUser (map displayname to a hidden datalable)

 

If datalable = managers

 

load the form

 

elso

 

show a message or do nothing

Albarghouthy
Userlevel 5
Badge +16

but there is an exception, if the user is in more than one group,

 

I guess it's better to use "GetUsersDetails" method and map "distinguishedName" to the datalable

 

the add this condition

 

if datalable CONTAINS Managers 

 

load the form

 

else

 

show a msg or do nothing

S
Userlevel 3
Badge +16

But if i do that, won't it prevent any other users from using the form to submit the form in the first place?

 

The form must allow anyone to use it, but only managers to access the completed forms.

 

 

Albarghouthy
Userlevel 5
Badge +16

Hi sharpharp1,

 

simply you can make the condition tike the following

 

If FormID IsNotEmpty AND Datalable Contains Managers

 

Load the form or views

 

Else 

 

Initialize views normally 

 

does it help like this?

 

 

S
Userlevel 3
Badge +16

Not sure that will work.

 

The Managers group and one seperate manager are the ones that require access.

 

The rule has got to say something like if the Logged in User is a member of a specific ADgroup or the user is User1, then proceed.

 

I used Getuserdetails to return the distinguiedname, but how do you use that to see if the User is a member of the ADgroup?

S
Badge +8

I think what you want to do is modify the permissions on the process.  Revoke the View right from your users and grant them View Participate rights.  The View Participate right only allows users to view a process instance if they participated in it (e.g. approved it).

 

For any permissions more complicated than this, you will have to find an alternative approach.  Some of our processes have very complex security rights and K2's broad security settings didn't cut it for us.  We push most of our security into the application layer, but we use .NET WebForms as the front end (not SmartForms) so we can add whatever logic is appropriate for that process.

T
Badge +10

Replying to sbrownhuntoilco post the view and view participate permissions really only apply to the the K2 Reports and K2 Viewflow diagram.  Not whether someone can view smartforms which typically is used to display more of the business data. 

 

To see if a user is a member of an AD group the AD Service 2 allows you to create a SmartObject off of the “AD User” which has a method called GetUsersByGroup.  You can pass the group name and it’ll list all the memebers of the group.  When the form opens you could call this method and compare it to the user name that the smartform exposes and if the user isn’t a member redirect them to another information page or something.

Z
Badge +9

Is the form not split into different states? like one for submission and one for completed, then you could just apply the filter on the completed state.

S
Userlevel 3
Badge +16

Big thanks to everyone that responded, i got it working.

 

Used the getusersbygroup method, following by a transfer action to populate a data label.

Then used an if statement to chekc if the data was empty ot filled, then shoot off the denial if not populated.

 

Thanks all....!!!!

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings