You’re offline. This is a read only version of the page.
7
My current application does not require authentication as per business requirements.
There are basic forms we want the users to fill out. We are using liquid templating to show which basic form the user is on depending on what form-number they are on (provided in the query params as "?form=4" as an example).
Because we are allowing our users to edit their information before they submit their final form, we are referencing the form GUID in the URL as well (like formID=GUID here). We are forced to reference 'Query String' from the form instead of 'Current Portal User' and 'Record Associated to Current Portal User' because our users are anonymous.
Everything works well, except if the user was to nonchalantly copy their URL during the form process and send it to someone. At that point, whoever receives the link will be able to edit the forms and see sensitive data pertaining to the user who sent the link.
I was hoping that the liquid code would be able to see if there are any variables inside the browser window session and choose to not dynamically render the form if the IDs in the URL did not match the ID in the session, however, our liquid can only see the URL request.
Another work around would be to force the URL to our base URL after load, using Javascript - once the forms were done reading the URL ids (this would prevent the user from accidentally sending their link out, while trying to share the website).
I would love to hear from any experts out there if they've seen a case like this before!
Please help - I don't want to recreate these forms in Javascript if I don't have to (since Javascript is the only way I can detect the session storage reliably at the moment).
Thanks for your time!
x7
Share
Report
All responses (
Answers (
