Custom form security levels and unexpected results

[pdestefanis]

I am testing role-based restrictions on custom forms, the implementation on 2.4:master gives me the following results. It seems this is related to fields not showing as Read-Only when the user has only "View", based on his Role and the field Access Level.

Role: High (90)
Role: Low (50)

For a field defined as

Submit: High
View: Low

Logged in as High:
Field shows - OK
Field contents show - OK
Data can be added/edited - OK

Logged in as Low:
Field shows - OK
Field contents do not show - NOT OK (the user has the level required for "View")
Data can be added. Any data added completely replaces the original data. - NOT OK (User does not have the level required to Submit)

Expected result: When logged in as Low: The field shows, the existing data shows, but the user cannot edit the data.

For a field defined as

Submit: Low
View: High

Logged in as High:
Field shows - OK
Field contents show - OK
Data can be added/edited - OK

Logged in as Low:
Field does not show - OK (since the level required for "View" should be lower or equal to that required for "Submit")

[pdestefanis]

Checked on 2.5b. The user with Read-Only (RO) permissions still can edit the field, but not see previous contents (previous contents are lost).
The field contents do not show for users with RO or RW, even if they are stored in the database (this is new in 2.5b)

[pdestefanis]

Further testing, the data in customs fields do not show regardless of the visibility set for the fields

[rjmackay]

Been working through this - its really hard to figure out but:

• Fixed view-only fields weren't showing data when editing - added the data
• fields with submit but not view - these will not be editable.

Think this is now correct.

Outstanding issue: members are treated the same as 'anyone'

[kamaulynder]

Fixed, closing.