Important Consideration with Custom Forms and Content Item Security

Topics: Customizing Orchard, General
Jun 25, 2013 at 1:47 AM
If you are using the Custom Forms module with your Orchard site and have configured the form to save the data when it's submitted, then you need to be aware that the subsequent content item that is generated may be publicly visible, potentially exposing sensitive information like a customer's email address, phone number or whatever other information you have requested from the user in the form.

The default content route for displayed all content items is ~/contents/item/display/{id} and this can be used to display the data from the submitted form, since custom form simply creates a new content item based on the Content Type you have defined for the custom form.

If you don't want your submitted form data (customer enquiries, feedback forms, etc) to be publicly visible, then you should ensure that the Content Type that you create for use with your form has the "Draftable" option selected. This way, when a user submits the form and the content item is created, it will not be published.

Also note that if you apply this change to an existing content type for a custom form, then after you make the content type Draftable you will also likely want to go through any existing form submissions and unpublish them so they are no longer visible.

I think it would be worthwhile updating the Orchard doco (http://docs.orchardproject.net/Documentation/Creating-Custom-Forms) to add a point that emphasises the significance of making the content type Draftable when creating a custom form.
Jun 25, 2013 at 3:03 AM
Good call, I just noticed this too from another comment on the Dev Directive Site. Don't know if that was you that commented.