Edit link vulnerability?/problems, and resending notifications

  • Profile Image
    tsnoad
    Asked on May 08, 2011 at 07:13 PM

    Hi All,

    First, thanks for this service, it's awesome!

    I've got a form that I want users to be able to re-edit, but I want to make sure that users can't edit other user's submissions. It looks like the link uses a form id and a submission id, but the start and end of the sid look the same. How much randomness is there in the sid?

    Is there anything to stop both me and the user from editing a submission at the same time?

    I also tried editing a submission that I'd previously deleted. The form came up as if I was creating a new submission, without any warnings. What would have happened if I'd pressed submit? new submission?

    I've had this form up for a few weeks before I added the edit link to the notification. Is there any way to resend notifications for submissions that I've already recieved? Is there a way to guess the edit link, maybe by looking through the HTML on the view submissions page and finding the SID?

    Thanks so much for your help, and thanks again for this great service.

    Tobias

  • Profile Image
    NeilVicente
    Answered on May 10, 2011 at 03:12 AM

    Hi,

      - User's ability to edit other's submission should be the least of your problems. Submission ID's are generated in a way that is random enough to ward off undesired edits. Take a look at this screenshot, for example:

      - I can not think of a way to disable edit links.

      - You cannot edit a deleted submission. An empty form will come up instead. Submitting will create a new submission.

      - To learn how to get a submission's edit link, visit this thread

    Also, be aware that each edit made to an entry counts as a submission in your account's submissions counter. So if for example you have a single submission but was edited 99 times, then that means your submissions limit is used up.

    Hope this post answered your questions. If there's anything else, please let us know.


    Neil