From 46bdc4d5fd4dbdb6731afbdb82368d0863feaf47 Mon Sep 17 00:00:00 2001
From: Chris Lovering <chris.lovering.95@gmail.com>
Date: Fri, 21 Jan 2022 15:59:44 +0000
Subject: Don't include user mention for anonymous form submissions

We currently use WEBHOOK_ENABLED to determine whether user data should be stored to the db. However, when webhooking a form submission this config is ignored, and the user mention is always included if available.

This means that if a user login in using another form, and then submits an anonymous form with the same session, their name will be included in the webhook.
---
 backend/routes/forms/submit.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'backend/routes')

diff --git a/backend/routes/forms/submit.py b/backend/routes/forms/submit.py
index 8d9f4e5..95e30b0 100644
--- a/backend/routes/forms/submit.py
+++ b/backend/routes/forms/submit.py
@@ -234,11 +234,15 @@ class SubmitForm(Route):
 
             tasks = BackgroundTasks()
             if constants.FormFeatures.WEBHOOK_ENABLED.value in form.features:
+                if constants.FormFeatures.REQUIRES_LOGIN.value in form.features:
+                    request_user = request.user
+                else:
+                    request_user = None
                 tasks.add_task(
                     self.send_submission_webhook,
                     form=form,
                     response=response_obj,
-                    request_user=request.user
+                    request_user=request_user
                 )
 
             if constants.FormFeatures.ASSIGN_ROLE.value in form.features:
-- 
cgit v1.2.3