Users without proper permissions can view a form's Sharing, Media, and formbuilder screens

kobotoolbox / kpi

kpi is the (frontend) server for KoboToolbox. It includes an API for users to access data and manage their forms, question library, sharing settings, create reports, and export data.

GNU Affero General Public License v3.0

133 stars 181 forks source link

Description

Users can see different screens that are implied to be be hidden without proper permissions

users with any permission can navigate to a project's formbuilder via the URL but cannot save any changes
if user only has view_submissions or change_submissions or validate_submissions (both require view_submissions) they can navigate to a project's Sharing and Media screens via the URL and see its contents but cannot submit any changes

Since the form landing's edit icon is greyed out and the data-tip says it is unavailable to the user they shouldn't be able to see the formbuilder. Similarly, since a user with only view_submissions or change_submissions or validate_submissions permissions does not see the Settings tab they shouldn't be able to navigate to anything listed in the Settings tab (i.e. Sharing, Media) even though the user can't make any changes to the respective settings/formbuilder

Steps to Reproduce

For formbuilder:

Grant any permission that is not Edit Form to a userB
Log into userB
Navigate to kobo_url/{uid}/edit/

For Settings:

Grant view_submissions or change_submissions or validate_submissions to a userB
Log into userB
Navigate to kobo_url/{uid}/settings/media or Navigate to kobo_url/{uid}/settings/sharing

Expected behavior

Without proper permissions the user should see "Access Denied"

Actual behavior

The user sees fields that they can manipulate but aren't authorized to

Additional details

Visualiztion: (this user has only View Form and view_submissions permissions) Permissions Bug

I do think we should shield people from making edits to a form that they'd never be able to save. Another way we could do that, though, would be to let people open the form builder for forms that they cannot change, and when they save, allow them to save the form to their own account, like a "save as" function. Cloning a form allows something similar. Example workflow:

Anji gives John view access to the Bananas form;
John opens Anji's Bananas form in the form builder and makes changes;
John saves his changes to his own account, creating a new John's Bananas form.

The existing way to get that done would require John to clone the form before opening the form builder.

Another argument for letting people with view-only access open the form builder is that there are certain aspects of the form that can't be seen without using the form builder or downloading XLSForm—and Not everyone understands XLSForm.

kobotoolbox / kpi