Form for Confluence - Add username in form mail using confluence value and not hidden field

Alexandre Bosserelle October 18, 2018

Dear Confluence users,

We are using a form allowing people to request the deletion of their user account.

The username is collected through an input field with name username and automatically filled with the value of $user.name (https://www.adaptavist.com/doco/display/F4C/Confluence+Values).

When the form is submitted, the value of the hidden field is sent using #username.

However, we noticed this is easily hackable, advanced users could inspect the code, change the value of the hidden field and thus request the deletion of someone else's account.

Is there a way to secure this, and add the username of the guy submitting the form in the form mail formatter instead of using the value of an hidden field which can be hacked / hijacked?

Thanks a lot for your help,

Best regards,

Alexandre

PS: this principle could be applied https://community.atlassian.com/t5/Answers-Developer-Questions/Generate-a-Hash-MD5-value-for-form-data/qaq-p/468199 - but again it requires to use JavaScript and fill fields on the client's side, so not reliable

2 answers

1 accepted

1 vote
Answer accepted
Tony Gough [Adaptavist]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 19, 2018

Hi Alexandre,

I'm a support software engineer in the Confluence team here at Adaptavist. We would greatly appreciate if you would open a support ticket with us to review the issue you have identified using the following portal:

https://productsupport.adaptavist.com/servicedesk/customer/portal/8

Following this we will investigate your findings and try to come up with a solution for you. We will also update this ticket with any relevant outcomes.

Many thanks and kind regards,
Tony

Alexandre Bosserelle November 20, 2018

Dear Tony,

Thank you for your feedback and coming back to us.

We created an issue with further details on FORMSUP-404.

Best regards,

Alexandre

1 vote
Stephen Cheesley _Adaptavist_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 21, 2018

In your use case I would not recommend using any form fields to store the username. You are correct in that any of the fields that exist in the form, can be edited using the browsers developer tools.

Instead of using the form fields to store a username, you should instead, refer to the “sender” field on the form response. This username value is secured and cannot be tampered with (see screenshot below).

sender.png

Note: You can create an "empty" form with just a submission button if this is the only part of the information you need.

Alexandre Bosserelle November 21, 2018

Dear @Stephen Cheesley _Adaptavist_ and @Tony Gough [Adaptavist],

Thank you for your feedback, and taking care of support requests.

Indeed, your suggestion to refer to the “sender” field of the form response is really helpful and solves our business case; this way, the username / e-mail address are secured and cannot be tampered with.

Thanks again and best regards,

Alexandre

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events