Is the edit link unsecured?

yonatann

Asked on April 20, 2016 at 8:59 AM

Hi,

I note that each submittion is editable via the URL: https://www.jotform.com/edit/{submissionID} without requesting any authentication details from the visitor.

Is it so in all forms automtaically? is there a way to prevent this?

Best,
Yonatan Goldberg
Huberson

Replied on April 20, 2016 at 10:58 AM

Hello Yonatan Goldberg,

The submissions are in fact editable via the URL you mentioned above but the submissions IDs are not in a 1-2-3 way so they can be easily guessed and used by anyone with that link to edit a submission.

Hope that answer your concern.
yonatann

Replied on April 21, 2016 at 8:26 AM

Thanks for the kind support.

Please only confirm that I can trust the URL "https://www.jotform.com/edit/{submissionID}" to be accessible to everyone (if they know the address of course...) for editing. True?
Huberson

Replied on April 21, 2016 at 11:07 AM

Since the URL is sent by email if you set an Autoresponder email, the submission can be edited by that person receiving the email with the 'edit link'.

To answer your question again, yes it is accessible without being logged in because someone submitting your form should not have to log in just to edit their submission using the 'edit link' from the email sent via Autoreponder.

But, to access and edit a submission someone need the ID, which can be accessed from your account under submissions page or from the email account of the person who made this specific submission.

So people can only access a specific submission only if they have found the specific ID for that submission.

I would suggest you add the 'Edit Link' in the Autoresponder email only if you want to grant people access to edit their entries after a submission has been made.