Unauthorized Access to Non-Public Application via URL Manipulation

[dkatzz]

Describe the bug By manipulating the program ID within the URL(https://staging-aws.civiform.dev/programs/<ID>/review), applicants can access and submit data to programs even if they are not public to the applicant (Hidden from applicants, Trusted Intermediaries ONLY, Visible to Selected Trusted Intermediaries ONLY)

To Reproduce Steps to reproduce the behavior:

1. Create and publish a program
2. Apply as an applicant and get the URL
3. Hide the program and publish
4. Use the URL copied in step 2 and add /review and you're able to edit and submit the application

Expected behavior User without access should not be able to view the program

[nb1701]

I think this was by design, that "hidden" didn't mean "inaccessible". But perhaps that's not true.

[dkatzz]

I think ideally we could show the url as https://staging-aws.civiform.dev/programs/minimal-sample-program instead of https://staging-aws.civiform.dev/programs/107375/review (but that may get a little tricky with old versions that were submitted), since it would prevent people from having URLs of older versions. Some of those issues may get fixed with the fast forwarding work though: https://github.com/civiform/civiform/issues/5541.