You said, “If the forms are accessed via the SSO gateway, then this (User – domain username) field will only populate if a Perfectforms user is accessing the form…”
However, this does not match my test results. If an unlicensed user is accessing a form instance (from a notification) via the SSO gateway, it is possible for a field set at form-open by the “User – Domain username” property to be populated, as could any field populated by one of the “User” properties, with the information of the intended recipient of the notification.
Furthermore, when following such a link the form role is always determined by the intended recipient of the notification, thusly granting any user following that link the rights of that role. I know this because I am using the special-fields properties you describe in my added security.
Here is how it works so far; in the “Form is opened” behavior, the form attempts to set three fields:
Current Role – populated by “Form – Role” property
Licensed Username – populated by “User – Domain username” property
Unlicensed Username – populated by “Gateway – HTTP USER” property
When a form instance is opened through a normal link or the dashboard, it behaves as you described. The role is determined by the user. If the user does not have permission, the role is “Unspecified”. Also, only one of the username fields is populated, depending on whether or not the user has a PerfectForms account. If a user attempts to bypass SSO, neither field is populated. This makes for an easy check.
When a form instance is opened through a notification link, the “Current Role” field matches the role set when setting up the notification, regardless of who clicks the link – even if the instance is opened bypassing SSO. In the event the intended recipient of the notification is a licensed user, then the Licensed Username field is populated with their username, and can be opened by any unlicensed user (or anonymously).
As a result, my security behavior cannot reliably check against the Current Role or Licensed Username fields, in the event the form is opened from a notification link. Also, I cannot setup the behavior to determine if the form was opened from a notification, so I am at an impasse. No matter how I configure my security, there is always a way around it.
With respect to the comparison to username/passwords, most people keep that information in their memory, as opposed an email generated by a system that is not under their control, so I do not believe the comparison is fair. With respect to how a notification could become available to the wrong user, it could be as easy as forwarding a message to another user, but regardless of how it could be done, I would feel much more comfortable with the system if I didn’t need to worry about it at all.