Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow users to fill out forms as GUEST and send email responses #870

Merged
merged 1 commit into from
Feb 18, 2025
Merged

Allow users to fill out forms as GUEST and send email responses #870

merged 1 commit into from
Feb 18, 2025

Conversation

Isti01
Copy link
Collaborator

@Isti01 Isti01 commented Feb 14, 2025
edited
Loading

closes #859

@Isti01 Isti01 changed the title Allow users to fill out forms as GUEST and send email responses by fi… Allow users to fill out forms as GUEST and send email responses Feb 14, 2025
SzBeni2003
SzBeni2003 reviewed Feb 15, 2025
View reviewed changes
backend/src/main/kotlin/hu/bme/sch/cmsch/component/form/FormService.kt
@@ -67,21 +73,22 @@ open class FormService(
if (form.availableUntil < now)
return FormView(status = FormStatus.TOO_LATE)

if (form.allowedGroups.isNotBlank() && userRepository.findById(user.id)
if (user?.id != null && form.allowedGroups.isNotBlank() && userRepository.findById(user.id)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This probably works this way too, but I would probably only check on the user, not the id of it.

SzBeni2003
SzBeni2003 reviewed Feb 15, 2025
View reviewed changes
backend/src/main/kotlin/hu/bme/sch/cmsch/component/form/FormService.kt
} else {
responseRepository.findByFormIdAndSubmitterUserId(form.id, user.id).orElse(null)
user?.id?.let { responseRepository.findByFormIdAndSubmitterUserId(form.id, it).getOrNull() }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, this probably works just fine, but I don't think we need to check both the user and the id of the user.
By the way, will the submissionEntity default to null if the user is null?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Passing null to an SQL query has a very different meaning than skipping the query if the parameter is null

SzBeni2003
SzBeni2003 approved these changes Feb 15, 2025
View reviewed changes
Copy link
Contributor

@SzBeni2003 SzBeni2003 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

@albi005
Copy link
Member

albi005 commented Feb 15, 2025

One issue I see is that the POST /api/forms/{path} endpoint could be abused using a bot to send confirmation emails to random addresses, thereby hurting Kir-Mail's reputation. In StartSCH this is solved by requiring authentication through AuthSCH and throttling so that a user can only send an email every 30 seconds, but this is obviously not an option here.

A few ideas on how this could be handled:

  1. we could set a limit on how many messages can be triggered by unauthenticated users globally
    • This breaks when there are a lot of users signing up at the same time
  2. by limiting by IP address
    • can be exploited by using multiple IPs, but would be a lot harder than a simple script
  3. by adding a CAPTCHA

albi005
albi005 reviewed Feb 15, 2025
View reviewed changes
backend/src/main/kotlin/hu/bme/sch/cmsch/component/form/FormService.kt
val form = formRepository.findAllByUrl(path).getOrNull(0)
?: return FormView(status = FormStatus.NOT_FOUND)

if ((form.minRole.value > user.role.value || form.maxRole.value < user.role.value) && !user.role.isAdmin)
val role = user?.role ?: RoleType.GUEST
Copy link
Member

@albi005 albi005 Feb 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just an idea:
We could have an UnauthenticatedUser : CmschUser instead of null for representing unauthenticated users, and then these null-checks wouldn't be needed. This would require making most of the attributes on CmschUser nullable, so might not be worth it

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like it. I think it would improve the codebase. But it would be a part of a major, bigger scope refactor in my opinion

backend/src/main/kotlin/hu/bme/sch/cmsch/component/form/FormService.kt Outdated
}


private fun getEmailForConfirmation(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
private fun getEmailForConfirmation(
private fun getEmailAddressForConfirmation(

@Isti01 Isti01 force-pushed the feature/work-on-admission branch from bd3a594 to 3df4629 Compare February 18, 2025 12:53
@Isti01 Isti01 merged commit 39c5214 into staging Feb 18, 2025
19 of 21 checks passed
@Isti01 Isti01 deleted the feature/work-on-admission branch February 18, 2025 12:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@albi005 albi005 albi005 left review comments

@SzBeni2003 SzBeni2003 SzBeni2003 approved these changes

@Gerviba Gerviba Awaiting requested review from Gerviba

@berenteb berenteb Awaiting requested review from berenteb

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Send confirmation emails for form submissions
3 participants
@Isti01 @albi005 @SzBeni2003