Is there any way to replace the contact id with some type of hash value in a url I'm using to prepopulate a form?

I want to send an email via rules that will have a link to a form with some questions (fields on an activity) that can be submitted & attached to their contact without the submitter needing to log in (most contacts don't / won't have Drupal user accounts).

I've already figured out how to make the above happen (thanks to the info here --> https://www.drupal.org/node/1599032), but I'm concerned with the idea that someone who has the url could add bogus activities simply by guessing contact IDs. I'm not saying this is likely, but it seems like 'security through obscurity' and I'd prefer not to rely on that if I don't need to.

A quick search turns up a few modules that do this for the UID, and of course there's the url sent when a user requests a password reset, so I assume this is at least possible, even if it is not implemented, right?

So, is there something built in already that I've just missed? If not, are there any suggestions for how I could implement this kind of thing?

Thanks in advance for any / all help on this!

Dan

Comments

dang42 created an issue. See original summary.

rosk0’s picture

rosk0
he/him
Primary language Russian
Location Wellington
commented

Sure, everything is possible!
You will probably need to create custom page callback to replace your hash with decoded contact ID and then provide this ID to form builder. But this would be completely your custom solution.
Or you can go another way: CRM Core Contact already have a UUID support, this means that you can extend CRM Core Profile in a way that would allow to use contact UUID to prepopulate profile form. UUID is not hash but it is also not a incremental IDs and it's near to impossible to guess next/previous ID.

dang42’s picture

dang42 commented
Status: Active » Closed (works as designed)

Excellent - thank you very much!

I'll eventually see if I can figure out how to substitute a hash for the contact ID (just 'cause I think it would be interesting to tackle), but your idea of using the UUID is one I hadn't considered. Still technically "security through obscurity", but really obscure will be more than good enough for now... :)

Thanks again!
Dan