- atadminAsked on June 30, 2016 at 03:03 PM
I was about to open a registration form which will contain personal information. I added the "edit link" to my notification email in order to print the form exactly as it looks (with the correct page breaks). I ran a few test submissions and everything works correctly which is excellent.
My only concern is that it appears that I can open that link from any browser without having to first login; which is not good since they are being sent in email. I also have users uploading other documents within the form. Those also create links that appear to be accessible from anywhere.
I know that we are using SSL and that your data centers are secure which is great but is there a way to close that last security loop. Before anyone can click, view or download from any of the links they need to login.
- BenAnswered on June 30, 2016 at 05:17 PM
We understand what you mean, however there is a logic to the edit links that happens in the back and allows the same to you. For example if you try changing the numbers around the chances of you hitting some submission that was made and you do not know of it, would be very small if any - per our developers.
So while we understand what you mean, the background process that handles this was not explained in details to us neither - and was the first thing that we asked - only that it should not allow someone to just grab someone's else data.
- atadminAnswered on June 30, 2016 at 05:47 PM
Agreed that the uniqueness of the links would be difficult enough to guess and the number of possible combinations would slow down a URL generator/tester.
However, that still leaves me with 2 concerns. First the link is being sent in an unencrypted email so anyone that can view/intercept the email (and therefore the link) now has direct access to the form data. Also, I have to trust my other account users to have common sense when it comes to protecting the URLs. Users with common sense is more of a concern:-).
I can work around it for now by changing our process a little but it would be nice if we had the ability to require a login before any of the submission data is visible. Maybe toggle it on/off for others that need that functionality.
Thanks for your reply.
- JotForm SupportBDAVIDAnswered on June 30, 2016 at 11:21 PM
So, you want the form to request password before showing all the data in edit mode?
Something like this workflow?
If yes, you might consider this workaround:
1) Add three fields at the begging of your form:
a) A native text box field which you can label "Access word" or similar.
b) The Get Form Page URL widget: https://www.jotform.com/help/252-How-to-Add-a-Widget-to-your-Form
c) A third text box field which you can label as you want to, in this case I label it as "Flag":
2) Create a condition to show the "Access word" field if the form is loaded in edit mode: https://www.jotform.com/help/316-How-to-Show-or-Hide-Fields-Base-on-User-s-Answer
3) Create a second condition to input a value in the "Flag" field if the form is loaded on edit mode: https://www.jotform.com/help/268-How-to-Insert-Text-or-Mathematical-Calculation-into-a-Field-Using-Conditional-Logic
4) Add a Form Collapse after the "Flag" field, and before your form fields:
(Set it's Status to "Open", and it's Visibility to "Hidden")
5) Create a third condition to hide the Form Collapse field if the "Flag" field is filled:
6) Create the last condition to show the Form Collapse field, which I have label "Show all fields", if the "Access word" field is equal to any word you designate, in my case if it is equal to "pass":
7) Hide the "Flag" field with custom CSS code: http://www.jotform.com/help/117-How-to-Inject-Custom-CSS-Codes
Here is my form version: https://form.jotform.com/61817754947975
You may clone it to inspect further if you want to: http://www.jotform.com/help/42-How-to-Clone-an-Existing-Form-from-a-URL
Let us know if you need more help.