engram-design
commented
8 months ago Just a thought - if it's a staff member page, I would assume it's behind a login, which means the availability of it to bad actors is minimal?
But yes, a hidden recipients field is one way to go. You could also use a visibly disabled regular hidden field, as that won't render the field in the HTML source, but you can still use craft.formie.populateFormValues to populate the value of the field in Twig. That at least has a similar approach to it.
The benefit of a hidden recipients field is that the value is masked in the HTML output. It's still saved as plain text in the database content table however, and it's mostly so people can't harvest emails from the HTML source.
What are you trying to do?
I want to have a single form that is used on multiple staff member pages which each have an email address. But I want to pass that into the form to update who gets notified upon submitting on that individual staff members page.
There is potentially 50+ staff and I don't want to maintain the dropdown list with emails and on the individual staff member pages where I want to auto select which one is chosen.
But I don't want to just use a hidden field that has a potential security issue of just allowing bad actors to abuse it.
What's your proposed solution?
https://github.com/verbb/formie/blob/b85bed91a2dc18e1d168af09a49e5b9199f1a80b/src/fields/formfields/Recipients.php#L328-L336
https://github.com/verbb/formie/blob/craft-4/src/helpers/StringHelper.php#L73-L75
The crypt step of this helper appears optional but should probably be required for Recipients fields.
Additional context
I was also curious if these steps run when using GraphQL mutations?