Allow internal users to submit a form after a specific time while public users are cut off?

SELECTED ANSWER

replied on February 13, 2019

You could create a hidden and read-only field on the form and populated it with the "Current User" value as the default. With anonymous users it should remain blank, but if the user is authenticated it would have their username. Then, you could check that to determine if the Submit button should be hidden.

0 0

View 4 previous replies

replied on February 13, 2019

I was just about to suggest a similar thing. You could also use field rules so that IF Current User = blank, it also hides all the fields and shows an HTML field with a message saying the submission time for the form has passed. Otherwise all the normal fields would show up.

1 0

replied on August 20, 2021

I've been using a similar process on some Laserfiche Cloud forms, but am running across some things I don't necessarily like from a security perspective. When using field rules or even the normal css "hide" class that is suggested, I've found these methods are fairly trivial to bypass. Open the Form page, right click and "Inspect". Once the dev console is up, scroll through the list of fields in the DOM and find ones with a "hide", "hidden" or "lf-container-hidden" class and then remove those classes. Viola! The hidden fields and sections are now available!
Granted the average user won't be that savvy, but especially in trying to construct a form where users really shouldn't see specific information, this seem problematic. For example, in Laserfiche Cloud, all authenticated users can see all forms (currently no user or groups security). If I attempt to control which users can see which forms (or parts of forms) I need to use a hidden form variable that stores the logged in user. Using "Inspect" I can expose that field and then possibly manipulate that hidden information. Maybe I'm being to overly cautious here, but I'd like to find a better way to control some of this information without it being hidden on the form.

0 0

replied on August 20, 2021

Hi Nathan,

In reality, anything you do on a web form is client-side and therefore trivial from a security perspective; that is why you don't rely on those techniques for true "security" concerns.

Hiding/showing data on a form is not the same as access control, and if you need access control you shouldn't rely on the page to do that because at the end of the day it is controlled by the client browser, not you.

Technically speaking, I can inspect a form and run JavaScript from the console to cause all kinds of havoc with a form (not just in LF Forms), like removing the required attribute to skip required fields, manipulating hidden values, etc.

That's why you want to perform back end validation for anything that is really critical.

0 0

replied on August 20, 2021

Thanks Jason. Yep I'm beginning to understand better the limitation of the client-side approach. The challenge is, that it's the only way to solve for access control in Laserfiche Cloud Forms at the moment. I know that Forms ACLs are on the road map, but need something equivalent now.

Unless I've misunderstood, even the back end validation done inside forms doesn't achieve what I want because it has to run data through a forms variable (which is then subject to manipulation in the page DOM).

I've tried using a multi-step process as well, moving validation to rule/workflow tasks. This kind of works with the forms "chained" together using user tasks and the "automatically load the next task if the same person is assigned to it" option. However, this ends up exposing user side data. In those subsequent user task forms the detail and assignment panes are present and via the assignment pane the entire user list is available (a user can see every single other user in the system by attempting to re-assign their form/task).

My use case here is that with Laserfiche Cloud I need to build out a set of internal (participant) and separate external (community) forms processes. Some of the internal processes are security sensitive and should not be exposed to the external community users. But those external community users do have a set of forms they need to use. Without access control I'm left with building show/hide/redirect logic into the internal forms so that if an external community user happens to click that form it doesn't give them access to internal processes they shouldn't see.

If you've got any specific suggestions I'd love to hear them. I'm no expert on forms, but not afraid of diving into CSS and javascript to build a solid solution. (We've also explored using self-hosted Laserfiche for this project but it's got to be Cloud)

0 0

replied on August 20, 2021

Honestly, it sounds like you almost need two separate instances. The access controls in self-hosted Forms allow us to restrict who can see/submit specific processes so that would address one of the concerns you mentioned.

It is worth noting that some variables/values cannot be manipulated on the user end because they are system variables. For example, you can pull things like _initiator in a gateway, or Submitter Account in a triggered Workflow.

Unlike a field on the form that can be changed by the user, this value is tied to their authentication so it's far more secure. Then, you could use that in gateways or workflows or something to validate the submission.

However, even with self-hosted there is no way that I know of to restrict who can see who when you allow reassignment so your "external" users would still be able to see a list of every user in the system.

I'm not especially familiar with how things are set up in the cloud version, but with self-hosted you can disable the ability to reassign for specific user tasks, and you can also chose to hide the action history.

I imagine a good question to start with is, why do your external users need to be licensed rather than using public portal submissions? I'm sure you have a reason, just trying to get some context.

0 0

replied on August 20, 2021

The overall goals are:

Provide external community users with Forms that streamline the data gathering process for documents. Repository access should be explicitly granted to those documents for each user. (Each user can only view their documents)
Provide internal users a separate set of Forms related to the management of the external users and their documents.

To paint a generally broader picture of this project, this would be like an accounting company providing a cloud based enterprise content management system (ECMS) as a service to their clients (external companies). In the course of the business relationship each external company should be granted rights to login and access their "company" folder to store/view documents in the ECMS. The system should also have the ability to create intuitive web forms to help guide external users around the collection of data.

Additionally the accounting company users also have internal web forms and folders they need to use in the ECMS . Some of the forms, in particular, have to do with manipulating data and access on the external users folders/documents and so shouldn't be available for external clients to see or use.

Security and privacy are very important. Keeping documents strictly separated between external clients is a must. Also the accounting company's "client list" is considered confidential so having the ability for any of their clients to stumble across a way to view all other clients registered in the ECMS is a big red flag.

So far the repository side of Laserfiche can be set up appropriately, but it's all those pesky forms processes, designed for very different internal and external audiences, that are proving challenging.

0 0

replied on August 20, 2021

That makes sense.

Based on the use case you described, I have a fairly similar process in place that we launched in response to the pandemic because people could no longer physically deliver/retrieve documents.

What I did is avoid assigning licenses to the users entirely (assuming your public users do not need to edit documents in the repository) because we have far too many public submitters for the licensing costs to ever be practical.

This is what I did:

Create LFDS accounts for public users tied to their email address and assigned no license at all.
Set up a public WebLink instance and repository accessible to those accounts (general access to the repository is inherited from a Directory Group they're assigned to in LFDS).
Created a public form (anonymous submission without authentication) that anyone can submit even without a license
Use the email address they enter on the form in a workflow to run a search and "connect the dots" to their account.
If the account/email is found, save the files to the repository and give their account rights to view the files via workflow.
If the account is not found, don't save the documents and send an email letting them know they don't have a valid account.

This probably wouldn't be as "robust" as you'd like since the public users are not authenticated, but it has a couple of key advantages when you're weighing the balance between security and functionality:

No need to license the public users to get access control since WebLink can provide read-only access to accounts that don't have a license.
No concern about seeing anything in Forms because they are public (anonymous) submissions and not actually logging into Forms at all.

Of course, this has limitations, like you can't assign user tasks to public users so if back-and-forth interactions and such are absolutely required it kind of eliminates this as an option, but I thought I'd throw it out there anyway.

0 0

Question

Question

Allow internal users to submit a form after a specific time while public users are cut off?

Answer

Replies

Sign in to reply to this post.