Quantcast

Webform private option unset - why? (is comment right?)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Webform private option unset - why? (is comment right?)

Hilary Caws-Elwitt

Hi all,

 

We want to use the webform “Private” component setting, which would be very useful for internal uses (marking a submission dealt with, for example). This ability is unset on line 137 of mm_webform.module with the following comment: “do not allow users to change this setting. Setting is confusing and can allow anonymous users to upload files.”

 

Confusing maybe, but I don’t understand the part about allowing anonymous users to upload files. Anonymous users can upload files anyway if  the form creator uses the “file” component type. The private setting is separate and works perfectly well as far as I can tell. There was a bug in the early Webform 4.x that exposed private fields, but that was fixed in 2012 and the MM commit is on 6/17/2013. Can somebody explain?

 

Unless there’s a security issue, can’t sites that find the private setting confusing just use their own webform hook to unset it?

--

Hilary Caws-Elwitt

IT Analyst - Five Colleges, Inc. - http://www.fivecolleges.edu

97 Spring St, Amherst MA 01002

[hidden email] - 413-542-4022

 

---

You are currently subscribed to monster_menus as: [hidden email].

To unsubscribe click here: http://lists.middlebury.edu/u?id=685503.6b071f880fe6a965a128164e6d09ea81&n=T&l=monster_menus&o=717897

(It may be necessary to cut and paste the above URL if the line is broken)

or send a blank email to [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Webform private option unset - why? (is comment right?)

Anita Rao
Hi Hilary,

You are right in that sites that find the private setting confusing can use their own hook to unset it.  I moved that line of code out of mm_webform to a local module specific to Amherst.  The commit for this is 7bdc890.

We are still using webform 3.x and a heavily customized webform file component. Honestly, I don’t recollect the issue/comment related to anonymous users uploading files. So, I don’t want to guess why that comment was added. I don’t see any security issue with it and you can confirm that by testing.

Anita

From: Hilary Caws-Elwitt <[hidden email]>
Reply-To: Monster Menus Development <[hidden email]>
Date: Wednesday, July 1, 2015 at 10:21 AM
To: Monster Menus Development <[hidden email]>
Subject: Webform private option unset - why? (is comment right?)

Hi all,

 

We want to use the webform “Private” component setting, which would be very useful for internal uses (marking a submission dealt with, for example). This ability is unset on line 137 of mm_webform.module with the following comment: “do not allow users to change this setting. Setting is confusing and can allow anonymous users to upload files.”

 

Confusing maybe, but I don’t understand the part about allowing anonymous users to upload files. Anonymous users can upload files anyway if  the form creator uses the “file” component type. The private setting is separate and works perfectly well as far as I can tell. There was a bug in the early Webform 4.x that exposed private fields, but that was fixed in 2012 and the MM commit is on 6/17/2013. Can somebody explain?

 

Unless there’s a security issue, can’t sites that find the private setting confusing just use their own webform hook to unset it?

--

Hilary Caws-Elwitt

IT Analyst - Five Colleges, Inc. - http://www.fivecolleges.edu

97 Spring St, Amherst MA 01002

[hidden email] - 413-542-4022

 

---

You are currently subscribed to monster_menus as: [hidden email].

To unsubscribe click here: http://lists.middlebury.edu/u?id=685501.5fd287bd5bb642133aa5f06e34fc723c&n=T&l=monster_menus&o=717897

(It may be necessary to cut and paste the above URL if the line is broken)

or send a blank email to [hidden email]

---

You are currently subscribed to monster_menus as: [hidden email].

To unsubscribe click here: http://lists.middlebury.edu/u?id=685503.6b071f880fe6a965a128164e6d09ea81&n=T&l=monster_menus&o=718030

(It may be necessary to cut and paste the above URL if the line is broken)

or send a blank email to [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Webform private option unset - why? (is comment right?)

Hilary Caws-Elwitt
In reply to this post by Hilary Caws-Elwitt

This is great! Thanks, Anita!

 

--

Hilary Caws-Elwitt

IT Analyst - Five Colleges, Inc. - http://www.fivecolleges.edu

97 Spring St, Amherst MA 01002

[hidden email] - 413-542-4022

 

From: Anita Rao [mailto:[hidden email]]
Sent: Tuesday, July 07, 2015 4:33 PM
To: Monster Menus Development
Subject: Re: Webform private option unset - why? (is comment right?)

 

Hi Hilary,

 

You are right in that sites that find the private setting confusing can use their own hook to unset it.  I moved that line of code out of mm_webform to a local module specific to Amherst.  The commit for this is 7bdc890.

 

We are still using webform 3.x and a heavily customized webform file component. Honestly, I don’t recollect the issue/comment related to anonymous users uploading files. So, I don’t want to guess why that comment was added. I don’t see any security issue with it and you can confirm that by testing.

 

Anita

 

From: Hilary Caws-Elwitt <[hidden email]>
Reply-To: Monster Menus Development <[hidden email]>
Date: Wednesday, July 1, 2015 at 10:21 AM
To: Monster Menus Development <[hidden email]>
Subject: Webform private option unset - why? (is comment right?)

 

Hi all,

 

We want to use the webform “Private” component setting, which would be very useful for internal uses (marking a submission dealt with, for example). This ability is unset on line 137 of mm_webform.module with the following comment: “do not allow users to change this setting. Setting is confusing and can allow anonymous users to upload files.”

 

Confusing maybe, but I don’t understand the part about allowing anonymous users to upload files. Anonymous users can upload files anyway if  the form creator uses the “file” component type. The private setting is separate and works perfectly well as far as I can tell. There was a bug in the early Webform 4.x that exposed private fields, but that was fixed in 2012 and the MM commit is on 6/17/2013. Can somebody explain?

 

Unless there’s a security issue, can’t sites that find the private setting confusing just use their own webform hook to unset it?

--

Hilary Caws-Elwitt

IT Analyst - Five Colleges, Inc. - http://www.fivecolleges.edu

97 Spring St, Amherst MA 01002

[hidden email] - 413-542-4022

 

---

You are currently subscribed to monster_menus as: [hidden email].

To unsubscribe click here: http://lists.middlebury.edu/u?id=685501.5fd287bd5bb642133aa5f06e34fc723c&n=T&l=monster_menus&o=717897

(It may be necessary to cut and paste the above URL if the line is broken)

or send a blank email to [hidden email]

---

You are currently subscribed to monster_menus as: [hidden email].

To unsubscribe click here: http://lists.middlebury.edu/u?id=1034715.d8dc340b0014c740c37e95754e54e1f3&n=T&l=monster_menus&o=718030

(It may be necessary to cut and paste the above URL if the line is broken)

or send a blank email to [hidden email]

---

You are currently subscribed to monster_menus as: [hidden email].

To unsubscribe click here: http://lists.middlebury.edu/u?id=685503.6b071f880fe6a965a128164e6d09ea81&n=T&l=monster_menus&o=718045

(It may be necessary to cut and paste the above URL if the line is broken)

or send a blank email to [hidden email]

Loading...