In getting a blank form through the kobocollect application as a shared user I am able to get other forms of the user, fill in the form, and send the forms. I verified through the owner account if the data gets through and it does. Thus, compromising the analysis of the data collection. Please fix this asap.
Steps to Reproduce
- In the server settings of the KoBoCollect app, edit the server to another kobotoolbox user’s server.
- Get blank form to view only what is supposedly only the shared forms.
- Fill and send the forms.
- Check the data of the owner account.
I expected that in changing my server to another user’s server and getting a blank form that I would not be able to access any of the forms unless they were shared to me.
I am able to get, fill in, and send forms that were not shared to me through the kobocollect app. All I had to do was know the url of another user to gain access to these forms.
Please fix asap as there is a serious risk of compromising important data analysis.