There is in my opinion a major UX bug when creating users.
The use case is simple; as an entity, I created a form that will be used by a select group of third party people.
Those people (more than 200) will then use the form to enter data that are tied to them (hence I add the username in the metadata).
They won’t have permission to view the submissions of others (so I had to prevent the ‘View submissions’ since there are no ‘View own submissions’ permission that I know of).
In order to simplify the account creation difficulties, I created a script to batch create those third party accounts in Kobotoolbox.
I checked and those accounts can log in KoboToolbox; everything is working fine.
Since I do not want anonymous submissions for this form, I updated the account settings for the account that created the form to force the authentification to view the forms and submit data.
Now, here is the problem I encounter: using the account that created the form, I give the “Add submissions/view submissions” permissions to 2 accounts whose username are user92
and user93
.
To test that the permissions are ok I followed 2 testing paths:
- Use a browser with no cookies nor any storage data for the KoboToolbox domain (ie. https://ee.mydomain.com/)
- Go to https://kf.mydomain.com/, then login with
user92
. - Then from there, open the form
https://ee.mydomain.com/x/Foobar
; everything is working as intended.
- Use a browser with no cookies nor any storage data for the KoboToolbox domain (ie. https://ee.mydomain.com/)
- Since the third party users are not really tech-savvy, I want to send them the direct form url, so that they just have to login to see the form
- So I paste the form url
https://ee.mydomain.com/x/Foobar
in the browser - I can see that the form is not displayed, and a login/password is asked (great!)
- I enter the credentials for
user93
, then hitSubmit
- Then UX-wise it fails spectacularly since the login page is just reloaded and cleared; the user is stuck in an infinite loop where login in never gets him out of the login page! (the url in the browser is https://ee.mydomain.com/login?return_url=https%3A%2F%2Fee.mydomain.com%2Fx%2FFoobar)
- Trying to force the url to
https://ee.mydomain.com/x/Foobar
redirects the user to the login page
The expected result should be that login successfully should :
- login successfully, and
- return the user to the form, not the login page
To give more technical details, I checked the network tab when trying to login, and I see
- login?return_url… POST → 302 Found
- Foobar GET → 200 OK
- lots of successfull woff/css/svg requests
- Foobar POST → 401 Unauthorized
- then loop again
It seems the login via ee.mydomain does not work.