Review (view) page is not displaying when using permissions setting

Hi Orbeon,

Can you help with following issue:

1. Create a form and publish it with following permissions:

Anyone - Create.
Owner - View/Edit/Delete.

2. User Y, who is anyone, logs in and fills out the test form.
3.  After filling out the form, user Y presses the review button (in the flow). With the permission configuration mentioned above this will result in an "Orbeon Forms - Unauthorized You do not have access to this page" error.

With the following permission setting "Anyone - Create/Read" the review page is displayed. But this permission setting creates some security issues. e.g. one can, if one can guess the documentId, see other users’ draft documents when typing the URL directly in the browser.

My questions:

1. Why is review page not displaying with permission "Anyone – Create/Owner - View/Edit/Delete."?
2. How can I set permission for anyone without harming the security?

Hi,

We have tried difference setup and it still fails...

regards
Balatharan

The simple answer is that this is a bug:

https://github.com/orbeon/orbeon-forms/issues/700

-Erik

Hi Erik,

Thanks for your answer..

I can see that the bug has no milestone. This issue is very critical for our client's business.

Can you send Orbeons contact info to my e-mail so that our client can contact you regarding a hotfix.

Regards
Balatharan

This thread is old but I thought I would mention that this issue is now fixed:

    https://github.com/orbeon/orbeon-forms/issues/700

-Erik