Can anonymous submit a publicly shared survey via the API?

Anonymous User · ‎05-16-2017

Hello,

I've created a publicly shared survey in AGOL and have been looking at it to see if there are any security issues with which we need to be concerned. I've changed the permissions on the _fieldworker view as follows:

"Only add new features"
"Editors can't see any features, even those they add"
"Only add new features, if allowed above (requires tracking)"

Opening the Service URL to look at the ArcGIS REST Services directory for the _fieldworker view, The Supported Operations for the service show "Add Features" and "Apply Edits" available. Given the permissions above, would an anonymous user be able to write code to submit new surveys?

Thanks,
Jim

JamesTedrick · ‎05-17-2017

You would need to make sure that anonymous users have the same permissions as the editors (the next section done below 'Editors can't see any features', but what you've described sounds correct.

Anonymous User · ‎05-18-2017

Thanks for the response James. Let me clarify to make sure I understand.

Right now anonymous users (not signed in) have the "Only add new features, if allowed above (requires tracking)" option selected. I want it to be set so that data cannot be submitted anonymously via code but that the Survey123 webapp can.. Have I set it correctly?

I'm not a developer but see the rest endpoints for "Add Features" and "Apply Edits" are available.

Thanks,

Jim

JamesTedrick · ‎05-30-2017

Hi Jim,

There isn't an easy way to restrict the submission by application. From a technical perspective, what you've defined as submission via code are the same operations that Survey123 use to submit data (the ApplyEdits endpoint).