Contrib.social

Anonymous Link Security

Open on Drupal.org →
Created on 4 November 2024, 17 days ago

1.0 Problem/Motivation
For my project I let anonymous user create an activity using an drupal webform with civicrm integration.
There after the source contact gets an Email, which confirms the submission. Now I want to give them the possibility to change the activity using a second form.
Herefore I embed a Link using a message template:
https://MY_URL/form/FORM_LINK?cid1={contact.contact_id}&{contact.checksum}&activity1={activity_tokens.activity_id}
This works so far.

The Problem is, that an anonymous user could now see and edit any other activity by incrementing the activty_id.

3.0 Proposed resolution

So I would like to add another checksum to the activity, and to another contact.
Or I would like to add an secret to the URL, which will resolve exactly one combination of c1, activity1.

So I would like to add another checksum to the activity, and to another contact.
I could not find any Option to enable this. But maybe I just didn't found the needed Options..

💬 Support request
Status

Active

Version

6.0

Component

Webform/Drupal

Created by

pklausing

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

  • Issue created by @pklausing
  • Comment 17 days ago
    🇨🇦Canada karing 🇨🇦

    The checksum gives the user the permissions as if that user was logged in and that varies greatly between users. So for anonymous that then defaults to role = authenticated. Do users with role=authenticated have permissions to View all activities (for visible contacts)?

  • Comment 17 days ago
    pklausing

    Hey Karin,

    So the contact hash protects elevates the contact to authenticated.
    After that, I realised, that I did not test correctly. It only worked for activites, which where also created by this anonymous contact.

    I would mark this issue as closed.

  • Comment 17 days ago
    pklausing
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024