Any submitted custom form can be browsed by anonymous users!

Topics: Administration, Core, Customizing Orchard, General, Installing Orchard, Writing modules, Writing themes
May 22, 2014 at 5:18 PM
I'm using Orchard Custom forms.
As you know custom forms module uses a content type to create form. Also any user can see all content items by default ("View all content" permission is true).
Therefore any users can see all submitted forms (even from other users) simply.
If users try some url similar to the following, they can see submitted forms.

Users can read request of other users! I think this is big problem.
May 22, 2014 at 8:26 PM
Then turn off the permission for the anonymous user role?
May 22, 2014 at 8:58 PM
If you turn it off, the anonymous users cannot see any page of your site. The only workaround for now: make content type draft able. But this problem must be solved permanently.
May 23, 2014 at 7:14 AM
Edited May 23, 2014 at 7:28 AM
Ah right I see what you mean! That seems as a big security issue indeed! The only way around as I can see is to uncheck the view all contents, and check every content you want the anonymous to be displayed. This only works if the content types are marked as creatable or draftable, so it is very annoying to do it all by hand!
May 27, 2014 at 7:52 AM
Hi mehranrezaei,

Are you just trying to limit access to authenticated users to the forums?

Have you tried adding Content Item Permissions to the forum as part of the content definition?