From d617083a5f7de7f984d45616056b356592582479 Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Sat, 22 May 2021 21:00:15 -0400
Subject: [PATCH] Afform - Improve Gui, prefill & submit APIs

Standardizes prefill & submit APIs to use the same logic for validating contacts.
Displays correct form URL in GUI depending on is_frontend setting.
Shows warning about url arguments to prevent unintentional permissions escalation.
---
 ext/afform/admin/afformEntities/Activity.php  |  3 +-
 ext/afform/admin/afformEntities/Household.php |  3 +-
 .../admin/afformEntities/Individual.php       |  3 +-
 .../admin/afformEntities/Organization.php     |  3 +-
 ext/afform/admin/ang/afAdmin.js               |  2 +-
 ext/afform/admin/ang/afAdmin/afAdminList.html |  2 +-
 .../ang/afGuiEditor/afGuiEditor.component.js  | 61 +++++++-----
 .../ang/afGuiEditor/afGuiEditorCanvas.html    |  6 +-
 .../ang/afGuiEditor/afGuiEditorPalette.html   |  2 +-
 .../admin/ang/afGuiEditor/config-form.html    | 28 +++---
 .../ang/afGuiEditor/entityConfig/Contact.html |  8 +-
 .../ang/afGuiEditor/entityConfig/Generic.html | 30 ++++--
 .../Civi/Afform/Event/AfformSubmitEvent.php   |  2 +-
 .../Api4/Action/Afform/AbstractProcessor.php  | 94 +++++++++++++++++--
 .../core/Civi/Api4/Action/Afform/Prefill.php  | 64 +------------
 .../core/Civi/Api4/Action/Afform/Submit.php   | 49 +++++-----
 ext/afform/mock/ang/mockPublicForm.test.php   |  9 +-
 .../tests/phpunit/api/v4/AfformUsageTest.php  | 80 ++++++++++++++--
 18 files changed, 278 insertions(+), 171 deletions(-)

diff --git a/ext/afform/admin/afformEntities/Activity.php b/ext/afform/admin/afformEntities/Activity.php
index 200ddeb7e8..860d68fd1d 100644
--- a/ext/afform/admin/afformEntities/Activity.php
+++ b/ext/afform/admin/afformEntities/Activity.php
@@ -4,8 +4,7 @@ return [
     data: {
       source_contact_id: 'user_contact_id',
       activity_type_id: ''
-    },
-    'url-autofill': '1'
+    }
   }",
   'boilerplate' => [
     ['#tag' => 'af-field', 'name' => 'subject'],
diff --git a/ext/afform/admin/afformEntities/Household.php b/ext/afform/admin/afformEntities/Household.php
index 159388b072..20cbab0c6d 100644
--- a/ext/afform/admin/afformEntities/Household.php
+++ b/ext/afform/admin/afformEntities/Household.php
@@ -4,8 +4,7 @@ return [
     data: {
       contact_type: 'Household',
       source: afform.title
-    },
-    'url-autofill': '1'
+    }
   }",
   'icon' => 'fa-home',
   'boilerplate' => [
diff --git a/ext/afform/admin/afformEntities/Individual.php b/ext/afform/admin/afformEntities/Individual.php
index ef2d43b350..31e5ace425 100644
--- a/ext/afform/admin/afformEntities/Individual.php
+++ b/ext/afform/admin/afformEntities/Individual.php
@@ -4,8 +4,7 @@ return [
     data: {
       contact_type: 'Individual',
       source: afform.title
-    },
-    'url-autofill': '1'
+    }
   }",
   'icon' => 'fa-user',
   'boilerplate' => [
diff --git a/ext/afform/admin/afformEntities/Organization.php b/ext/afform/admin/afformEntities/Organization.php
index bd0f602b7e..ecbf7fdd70 100644
--- a/ext/afform/admin/afformEntities/Organization.php
+++ b/ext/afform/admin/afformEntities/Organization.php
@@ -4,8 +4,7 @@ return [
     data: {
       contact_type: 'Organization',
       source: afform.title
-    },
-    'url-autofill': '1'
+    }
   }",
   'icon' => 'fa-building',
   'boilerplate' => [
diff --git a/ext/afform/admin/ang/afAdmin.js b/ext/afform/admin/ang/afAdmin.js
index f50e46ddca..e118f5c8d3 100644
--- a/ext/afform/admin/ang/afAdmin.js
+++ b/ext/afform/admin/ang/afAdmin.js
@@ -11,7 +11,7 @@
           // Load data for lists
           afforms: function(crmApi4) {
             return crmApi4('Afform', 'get', {
-              select: ['name', 'title', 'type', 'server_route', 'has_local', 'has_base', 'is_dashlet', 'contact_summary:label']
+              select: ['name', 'title', 'type', 'server_route', 'is_public', 'has_local', 'has_base', 'is_dashlet', 'contact_summary:label']
             });
           }
         }
diff --git a/ext/afform/admin/ang/afAdmin/afAdminList.html b/ext/afform/admin/ang/afAdmin/afAdminList.html
index e8b50d7db1..3a61badce1 100644
--- a/ext/afform/admin/ang/afAdmin/afAdminList.html
+++ b/ext/afform/admin/ang/afAdmin/afAdminList.html
@@ -67,7 +67,7 @@
         <code>{{ afform.name }}</code>
       </td>
       <td>
-        <a ng-if="afform.server_route" ng-href="{{ crmUrl(afform.server_route) }}" target="_blank">
+        <a ng-if="afform.server_route" ng-href="{{:: crmUrl(afform.server_route, null, afform.is_public ? 'front' : 'back') }}" target="_blank">
           <code>{{ afform.server_route }}</code>
         </a>
       </td>
diff --git a/ext/afform/admin/ang/afGuiEditor/afGuiEditor.component.js b/ext/afform/admin/ang/afGuiEditor/afGuiEditor.component.js
index ba46a74fb7..13a4bbe5ad 100644
--- a/ext/afform/admin/ang/afGuiEditor/afGuiEditor.component.js
+++ b/ext/afform/admin/ang/afGuiEditor/afGuiEditor.component.js
@@ -20,9 +20,8 @@
     controllerAs: 'editor',
     controller: function($scope, crmApi4, afGui, $parse, $timeout, $location) {
       var ts = $scope.ts = CRM.ts('org.civicrm.afform_admin');
-      $scope.crmUrl = CRM.url;
 
-      $scope.afform = null;
+      this.afform = null;
       $scope.saving = false;
       $scope.selectedEntityName = null;
       this.meta = afGui.meta;
@@ -48,15 +47,15 @@
 
       // Initialize the current form
       function initializeForm() {
-        $scope.afform = editor.data.definition;
-        if (!$scope.afform) {
+        editor.afform = editor.data.definition;
+        if (!editor.afform) {
           alert('Error: unknown form');
         }
         if (editor.mode === 'clone') {
-          delete $scope.afform.name;
-          delete $scope.afform.server_route;
-          $scope.afform.is_dashlet = false;
-          $scope.afform.title += ' ' + ts('(copy)');
+          delete editor.afform.name;
+          delete editor.afform.server_route;
+          editor.afform.is_dashlet = false;
+          editor.afform.title += ' ' + ts('(copy)');
         }
         $scope.canvasTab = 'layout';
         $scope.layoutHtml = '';
@@ -65,7 +64,7 @@
 
         if (editor.getFormType() === 'form') {
           editor.allowEntityConfig = true;
-          editor.layout['#children'] = afGui.findRecursive($scope.afform.layout, {'#tag': 'af-form'})[0]['#children'];
+          editor.layout['#children'] = afGui.findRecursive(editor.afform.layout, {'#tag': 'af-form'})[0]['#children'];
           $scope.entities = _.mapValues(afGui.findRecursive(editor.layout['#children'], {'#tag': 'af-entity'}, 'name'), backfillEntityDefaults);
 
           if (editor.mode === 'create') {
@@ -75,8 +74,8 @@
         }
 
         else if (editor.getFormType() === 'block') {
-          editor.layout['#children'] = $scope.afform.layout;
-          editor.blockEntity = $scope.afform.join || $scope.afform.block;
+          editor.layout['#children'] = editor.afform.layout;
+          editor.blockEntity = editor.afform.join || editor.afform.block;
           $scope.entities[editor.blockEntity] = backfillEntityDefaults({
             type: editor.blockEntity,
             name: editor.blockEntity,
@@ -85,7 +84,7 @@
         }
 
         else if (editor.getFormType() === 'search') {
-          editor.layout['#children'] = afGui.findRecursive($scope.afform.layout, {'af-fieldset': ''})[0]['#children'];
+          editor.layout['#children'] = afGui.findRecursive(editor.afform.layout, {'af-fieldset': ''})[0]['#children'];
           editor.searchDisplay = afGui.findRecursive(editor.layout['#children'], function(item) {
             return item['#tag'] && item['#tag'].indexOf('crm-search-display-') === 0;
           })[0];
@@ -94,18 +93,18 @@
 
         // Set changesSaved to true on initial load, false thereafter whenever changes are made to the model
         $scope.changesSaved = editor.mode === 'edit' ? 1 : false;
-        $scope.$watch('afform', function () {
+        $scope.$watch('editor.afform', function () {
           $scope.changesSaved = $scope.changesSaved === 1;
         }, true);
       }
 
       this.getFormType = function() {
-        return $scope.afform.type;
+        return editor.afform.type;
       };
 
       $scope.updateLayoutHtml = function() {
         $scope.layoutHtml = '...Loading...';
-        crmApi4('Afform', 'convert', {layout: $scope.afform.layout, from: 'deep', to: 'html', formatWhitespace: true})
+        crmApi4('Afform', 'convert', {layout: editor.afform.layout, from: 'deep', to: 'html', formatWhitespace: true})
           .then(function(r){
             $scope.layoutHtml = r[0].layout || '(Error)';
           })
@@ -161,6 +160,7 @@
         if (meta.fields) {
           addToCanvas();
         } else {
+          $timeout(editor.adjustTabWidths);
           crmApi4('Afform', 'loadAdminData', {
             definition: {type: 'form'},
             entity: type
@@ -191,6 +191,13 @@
         return $scope.selectedEntityName;
       };
 
+      this.getEntityDefn = function(entity) {
+        if (entity.type === 'Contact' && entity.data.contact_type) {
+          return editor.meta.entities[entity.data.contact_type];
+        }
+        return editor.meta.entities[entity.type];
+      };
+
       // Scroll an entity's first fieldset into view of the canvas
       this.scrollToEntity = function(entityName) {
         var $canvas = $('#afGuiEditor-canvas-body'),
@@ -204,7 +211,7 @@
       };
 
       this.getAfform = function() {
-        return $scope.afform;
+        return editor.afform;
       };
 
       this.getEntities = function(filter) {
@@ -212,14 +219,14 @@
       };
 
       this.toggleContactSummary = function() {
-        if ($scope.afform.contact_summary) {
-          $scope.afform.contact_summary = false;
-          if ($scope.afform.type === 'search') {
+        if (editor.afform.contact_summary) {
+          editor.afform.contact_summary = false;
+          if (editor.afform.type === 'search') {
             delete editor.searchDisplay.filters;
           }
         } else {
-          $scope.afform.contact_summary = 'block';
-          if ($scope.afform.type === 'search') {
+          editor.afform.contact_summary = 'block';
+          if (editor.afform.type === 'search') {
             editor.searchDisplay.filters = editor.searchFilters[0].key;
           }
         }
@@ -260,6 +267,12 @@
         return options;
       }
 
+      this.getLink = function() {
+        if (editor.afform.server_route) {
+          return CRM.url(editor.afform.server_route, null, editor.afform.is_public ? 'front' : 'back');
+        }
+      };
+
       // Options for ui-sortable in field palette
       this.getSortableOptions = function(entityName) {
         if (!sortableOptions[entityName + '']) {
@@ -301,21 +314,21 @@
       };
 
       $scope.save = function() {
-        var afform = JSON.parse(angular.toJson($scope.afform));
+        var afform = JSON.parse(angular.toJson(editor.afform));
         // This might be set to undefined by validation
         afform.server_route = afform.server_route || '';
         $scope.saving = $scope.changesSaved = true;
         crmApi4('Afform', 'save', {formatWhitespace: true, records: [afform]})
           .then(function (data) {
             $scope.saving = false;
-            $scope.afform.name = data[0].name;
+            editor.afform.name = data[0].name;
             if (editor.mode !== 'edit') {
               $location.url('/edit/' + data[0].name);
             }
           });
       };
 
-      $scope.$watch('afform.title', function(newTitle, oldTitle) {
+      $scope.$watch('editor.afform.title', function(newTitle, oldTitle) {
         if (typeof oldTitle === 'string') {
           _.each($scope.entities, function(entity) {
             if (entity.data && entity.data.source === oldTitle) {
diff --git a/ext/afform/admin/ang/afGuiEditor/afGuiEditorCanvas.html b/ext/afform/admin/ang/afGuiEditor/afGuiEditorCanvas.html
index 0b767376da..4321a8851a 100644
--- a/ext/afform/admin/ang/afGuiEditor/afGuiEditorCanvas.html
+++ b/ext/afform/admin/ang/afGuiEditor/afGuiEditorCanvas.html
@@ -2,14 +2,14 @@
   <div class="panel-heading">
 
     <div class="form-inline pull-right">
-      <div class="form-group" ng-if="changesSaved && !saving && afform.server_route">
-        <a target="_blank" href="{{ crmUrl(afform.server_route) }}">
+      <div class="form-group" ng-if="changesSaved && !saving && editor.afform.server_route">
+        <a target="_blank" href="{{ editor.getLink() }}">
           <i class="crm-i fa-external-link"></i>
           {{:: ts('View Page') }}
         </a>
       </div>
       <div class="btn-group btn-group-md">
-        <button type="submit" class="btn" ng-class="{'btn-primary': !changesSaved && !saving, 'btn-warning': saving, 'btn-success': changesSaved}" ng-disabled="changesSaved || saving || !afform.title" ng-click="save()">
+        <button type="submit" class="btn" ng-class="{'btn-primary': !changesSaved && !saving, 'btn-warning': saving, 'btn-success': changesSaved}" ng-disabled="changesSaved || saving || !editor.afform.title" ng-click="save()">
           <i class="crm-i" ng-class="{'fa-check': !saving, 'fa-spin fa-spinner': saving}"></i>
           <span ng-if="changesSaved && !saving">{{:: ts('Saved') }}</span>
           <span ng-if="!changesSaved && !saving">{{:: ts('Save') }}</span>
diff --git a/ext/afform/admin/ang/afGuiEditor/afGuiEditorPalette.html b/ext/afform/admin/ang/afGuiEditor/afGuiEditorPalette.html
index 8d3b16fe44..fe098c0f96 100644
--- a/ext/afform/admin/ang/afGuiEditor/afGuiEditorPalette.html
+++ b/ext/afform/admin/ang/afGuiEditor/afGuiEditorPalette.html
@@ -9,7 +9,7 @@
       </li>
       <li role="presentation" ng-repeat="entity in entities" class="fluid-width-tab" ng-class="{active: selectedEntityName === entity.name}" title="{{ entity.label }}">
         <a href ng-click="editor.selectEntity(entity.name); editor.scrollToEntity(entity.name);">
-          <i class="crm-i {{:: editor.meta.entities[entity.type].icon }}"></i>
+          <i class="crm-i {{:: editor.getEntityDefn(entity).icon }}"></i>
           <span ng-if="!entity.loading && editor.allowEntityConfig && selectedEntityName === entity.name" crm-ui-editable ng-model="entity.label" ng-change="editor.adjustTabWidths()">{{ entity.label }}</span>
           <span ng-if="!entity.loading && !(editor.allowEntityConfig && selectedEntityName === entity.name)">{{ entity.label }}</span>
           <i ng-if="entity.loading" class="crm-i fa-spin fa-spinner"></i>
diff --git a/ext/afform/admin/ang/afGuiEditor/config-form.html b/ext/afform/admin/ang/afGuiEditor/config-form.html
index a37cb6a3f3..59d04705b9 100644
--- a/ext/afform/admin/ang/afGuiEditor/config-form.html
+++ b/ext/afform/admin/ang/afGuiEditor/config-form.html
@@ -5,14 +5,14 @@
       {{:: ts('Title') }} <span class="crm-marker">*</span>
     </label>
     <p class="help-block">{{:: ts('Public title (usually displayed at the top of the form).') }}</p>
-    <input ng-model="afform.title" class="form-control" id="af_config_form_title" required title="{{:: ts('Required') }}" />
+    <input ng-model="editor.afform.title" class="form-control" id="af_config_form_title" required title="{{:: ts('Required') }}" />
   </div>
 
   <div class="form-group">
     <label for="af_config_form_description">
       {{:: ts('Description') }}
     </label>
-    <textarea ng-model="afform.description" class="form-control" id="af_config_form_description"></textarea>
+    <textarea ng-model="editor.afform.description" class="form-control" id="af_config_form_description"></textarea>
     <p class="help-block">{{:: ts("Internal note about the form's purpose (not displayed on form).") }}</p>
     <!-- Description is "semi-private": not generally public, but not audited for secrecy -->
   </div>
@@ -21,7 +21,7 @@
     <label for="af_config_form_permission">
       {{:: ts('Permission') }}
     </label>
-    <input ng-model="afform.permission" class="form-control" id="af_config_form_permission" crm-ui-select="{data: editor.meta.permissions}" />
+    <input ng-model="editor.afform.permission" class="form-control" id="af_config_form_permission" crm-ui-select="{data: editor.meta.permissions}" />
     <p class="help-block">{{:: ts('What permission is required to use this form?') }}</p>
   </div>
 
@@ -32,20 +32,20 @@
       <label for="af_config_form_server_route">
         {{:: ts('Page') }}
       </label>
-      <input ng-model="afform.server_route" name="server_route" class="form-control" id="af_config_form_server_route" pattern="^civicrm\/[-0-9a-zA-Z\/_]+$" onfocus="this.value = this.value || 'civicrm/'" onblur="if (this.value === 'civicrm/') this.value = ''" title="{{:: ts('Path must begin with &quot;civicrm/&quot;') }}">
+      <input ng-model="editor.afform.server_route" name="server_route" class="form-control" id="af_config_form_server_route" pattern="^civicrm\/[-0-9a-zA-Z\/_]+$" onfocus="this.value = this.value || 'civicrm/'" onblur="if (this.value === 'civicrm/') this.value = ''" title="{{:: ts('Path must begin with &quot;civicrm/&quot;') }}">
       <p class="help-block">{{:: ts('Expose the form as a standalone webpage. (Example: "civicrm/my-form")') }}</p>
     </div>
 
-    <div class="form-group" ng-if="!!afform.server_route">
+    <div class="form-group" ng-if="!!editor.afform.server_route">
       <label>
-        <input type="checkbox" ng-model="afform.is_public">
-        {{:: ts('Style page to match front-end website') }}
+        <input type="checkbox" ng-model="editor.afform.is_public">
+        {{:: ts('Accessible on front-end of website') }}
       </label>
     </div>
 
-    <div class="form-group" ng-if="!!afform.server_route">
+    <div class="form-group" ng-if="!!editor.afform.server_route">
       <label>
-        <input type="checkbox" ng-model="afform.is_token">
+        <input type="checkbox" ng-model="editor.afform.is_token">
         {{:: ts('Provide Email Token') }}
       </label>
       <p class="help-block">{{:: ts('Allows CiviMail authors to easily link to this page') }}</p>
@@ -53,7 +53,7 @@
 
     <div class="form-group">
       <label>
-        <input type="checkbox" ng-model="afform.is_dashlet">
+        <input type="checkbox" ng-model="editor.afform.is_dashlet">
         {{:: ts('Add to Dashboard') }}
       </label>
       <p class="help-block">{{:: ts('Allow CiviCRM users to add the form to their home dashboard.') }}</p>
@@ -62,17 +62,17 @@
     <div class="form-group">
       <div class="form-inline">
         <label>
-          <input type="checkbox" ng-checked="afform.contact_summary" ng-click="editor.toggleContactSummary()">
+          <input type="checkbox" ng-checked="editor.afform.contact_summary" ng-click="editor.toggleContactSummary()">
           {{:: ts('Add to Contact Summary Page') }}
         </label>
-        <select class="form-control" ng-model="afform.contact_summary" ng-if="afform.contact_summary">
+        <select class="form-control" ng-model="editor.afform.contact_summary" ng-if="editor.afform.contact_summary">
           <option value="block">{{:: ts('As Block') }}</option>
           <option value="tab">{{:: ts('As Tab') }}</option>
         </select>
       </div>
       <p class="help-block">{{:: ts('Placement can be configured using the Contact Layout Editor.') }}</p>
     </div>
-    <div class="form-group" ng-if="afform.contact_summary && editor.searchDisplay && editor.searchFilters.length > 1">
+    <div class="form-group" ng-if="editor.afform.contact_summary && editor.searchDisplay && editor.searchFilters.length > 1">
       <div class="form-inline">
         <label for="af_config_form_search_filters">
           {{:: ts('Filter on:') }}
@@ -92,7 +92,7 @@
       <label for="af_config_redirect">
         {{:: ts('Post-Submit Page') }}
       </label>
-      <input ng-model="afform.redirect" name="redirect" class="form-control" id="af_config_redirect" title="{{:: ts('Post-Submit Page') }}" pattern="^((http|https):\/\/|\/|civicrm\/)[-0-9a-zA-Z\/_.]\S+$" title="{{:: ts('Post-Submit Page must be either an absolute url, a relative url or a path starting with CiviCRM') }}"/>
+      <input ng-model="editor.afform.redirect" name="redirect" class="form-control" id="af_config_redirect" title="{{:: ts('Post-Submit Page') }}" pattern="^((http|https):\/\/|\/|civicrm\/)[-0-9a-zA-Z\/_.]\S+$" title="{{:: ts('Post-Submit Page must be either an absolute url, a relative url or a path starting with CiviCRM') }}"/>
       <p class="help-block">{{:: ts('Enter a URL or path that the form should redirect to following a successful submission.') }}</p>
     </div>
   </fieldset>
diff --git a/ext/afform/admin/ang/afGuiEditor/entityConfig/Contact.html b/ext/afform/admin/ang/afGuiEditor/entityConfig/Contact.html
index cfa51ea41d..7d53b8e261 100644
--- a/ext/afform/admin/ang/afGuiEditor/entityConfig/Contact.html
+++ b/ext/afform/admin/ang/afGuiEditor/entityConfig/Contact.html
@@ -1,9 +1,9 @@
 <div ng-include="'~/afGuiEditor/entityConfig/Generic.html'"></div>
-<div class="form-inline">
-  <label>
-    {{:: ts('Autofill as') }}
+<div class="form-inline" ng-if="$ctrl.entity.actions.update">
+  <label class="control-label" for="{{:: $ctrl.entity.name + '_autofill' }}">
+    {{:: ts('Auto-Update') }}
   </label>
-  <select ng-model="$ctrl.entity.autofill" class="form-control">
+  <select id="{{:: $ctrl.entity.name + '_autofill' }}" ng-model="$ctrl.entity.autofill" class="form-control">
     <option value="">{{:: ts('None') }}</option>
     <option value="user">{{:: ts('Current User') }}</option>
   </select>
diff --git a/ext/afform/admin/ang/afGuiEditor/entityConfig/Generic.html b/ext/afform/admin/ang/afGuiEditor/entityConfig/Generic.html
index aee1e37621..a2577e9ce1 100644
--- a/ext/afform/admin/ang/afGuiEditor/entityConfig/Generic.html
+++ b/ext/afform/admin/ang/afGuiEditor/entityConfig/Generic.html
@@ -1,10 +1,10 @@
 <div class="form-group">
-  <label class="control-label">
+  <label class="control-label" for="{{:: $ctrl.entity.name + '_security' }}">
     {{:: ts('Security') }}
   </label>
-  <select ng-model="$ctrl.entity.security" class="form-control">
-    <option value="RBAC">{{:: ts('Role-Based')}}</option>
-    <option value="FBAC">{{:: ts('Form-Based')}}</option>
+  <select id="{{:: $ctrl.entity.name + '_security' }}" ng-model="$ctrl.entity.security" class="form-control">
+    <option value="RBAC">{{:: ts('Role-Based') }}</option>
+    <option value="FBAC">{{:: ts('Form-Based') }}</option>
   </select>
 </div>
 <div class="form-group">
@@ -18,9 +18,21 @@
     <label><input type="checkbox" ng-model="$ctrl.entity.actions.update">{{:: ts('Update') }}</label>
   </div>
 </div>
-<div class="checkbox">
-  <label>
-    <input type="checkbox" ng-model="$ctrl.entity['url-autofill']" ng-true-value="'1'" ng-false-value="'0'" />
-    {{:: ts('Allow URL Autofill') }}
-  </label>
+<div ng-if="$ctrl.entity.actions.update">
+  <div class="checkbox">
+    <label>
+      <input type="checkbox" ng-model="$ctrl.entity['url-autofill']" ng-true-value="'1'" ng-false-value="'0'" />
+      {{:: ts('Accept ID from URL') }}
+    </label>
+  </div>
+  <div class="description bg-warning" ng-if="$ctrl.entity['url-autofill'] === '1' && $ctrl.entity.security === 'FBAC'">
+    <i class="crm-i fa-warning"></i>
+    {{:: ts('Without Role-Based access, users of the form will be able to view and update any %1 by changing the id in the URL.', {1: getMeta().label}) }}
+  </div>
+  <div class="description" ng-if="$ctrl.entity['url-autofill'] === '1'">
+    {{:: ts('Update %1 by including the id in the link to this form:', {1: getMeta().label}) }}
+    <code>
+      {{ ($ctrl.editor.getLink() || '') + '#?' + $ctrl.entity.name + '=123' }}
+    </code>
+  </div>
 </div>
diff --git a/ext/afform/core/Civi/Afform/Event/AfformSubmitEvent.php b/ext/afform/core/Civi/Afform/Event/AfformSubmitEvent.php
index ff2ddb9b1f..d937c2fec2 100644
--- a/ext/afform/core/Civi/Afform/Event/AfformSubmitEvent.php
+++ b/ext/afform/core/Civi/Afform/Event/AfformSubmitEvent.php
@@ -97,7 +97,7 @@ class AfformSubmitEvent extends AfformBaseEvent {
    * @return $this
    */
   public function setEntityId($index, $entityId) {
-    $this->entityIds[$this->entityName][$index] = $entityId;
+    $this->entityIds[$this->entityName][$index]['id'] = $entityId;
     return $this;
   }
 
diff --git a/ext/afform/core/Civi/Api4/Action/Afform/AbstractProcessor.php b/ext/afform/core/Civi/Api4/Action/Afform/AbstractProcessor.php
index f222375523..f497f0aef8 100644
--- a/ext/afform/core/Civi/Api4/Action/Afform/AbstractProcessor.php
+++ b/ext/afform/core/Civi/Api4/Action/Afform/AbstractProcessor.php
@@ -6,7 +6,7 @@ use Civi\Afform\FormDataModel;
 use Civi\Api4\Generic\Result;
 
 /**
- * Shared functionality for form submission processing.
+ * Shared functionality for form submission pre & post processing.
  * @package Civi\Api4\Action\Afform
  */
 abstract class AbstractProcessor extends \Civi\Api4\Generic\AbstractAction {
@@ -24,6 +24,9 @@ abstract class AbstractProcessor extends \Civi\Api4\Generic\AbstractAction {
    */
   protected $args = [];
 
+  /**
+   * @var array
+   */
   protected $_afform;
 
   /**
@@ -32,6 +35,20 @@ abstract class AbstractProcessor extends \Civi\Api4\Generic\AbstractAction {
    */
   protected $_formDataModel;
 
+  /**
+   * Ids of each autoloaded entity.
+   *
+   * Each key in the array corresponds to the name of an entity,
+   * and the value is an array of arrays
+   * (because of `<af-repeat>` all entities are treated as if they may be multi)
+   * E.g. $entityIds['Individual1'] = [['id' => 1, 'joins' => ['Email' => [1,2,3]]];
+   *
+   * @var array
+   */
+  protected $_entityIds = [];
+
+  protected $_entityValues = [];
+
   /**
    * @param \Civi\Api4\Generic\Result $result
    * @throws \API_Exception
@@ -40,24 +57,81 @@ abstract class AbstractProcessor extends \Civi\Api4\Generic\AbstractAction {
     // This will throw an exception if the form doesn't exist or user lacks permission
     $this->_afform = (array) civicrm_api4('Afform', 'get', ['where' => [['name', '=', $this->name]]], 0);
     $this->_formDataModel = new FormDataModel($this->_afform['layout']);
-    $this->validateArgs();
+    $this->loadEntities();
     $result->exchangeArray($this->processForm());
   }
 
   /**
-   * Strip out arguments that are not allowed on this form
+   * Load all entities
    */
-  protected function validateArgs() {
-    $rawArgs = $this->args;
-    $entities = $this->_formDataModel->getEntities();
-    $this->args = [];
-    foreach ($rawArgs as $arg => $val) {
-      if (!empty($entities[$arg]['url-autofill'])) {
-        $this->args[$arg] = $val;
+  private function loadEntities() {
+    foreach ($this->_formDataModel->getEntities() as $entityName => $entity) {
+      $this->_entityIds[$entityName] = [];
+      if (!empty($entity['actions']['update'])) {
+        if (!empty($this->args[$entityName]) && !empty($entity['url-autofill'])) {
+          $ids = array_map('trim', explode(',', $this->args[$entityName]));
+          // Limit number of records to 1 unless using af-repeat
+          $ids = array_slice($ids, 0, !empty($entity['af-repeat']) ? $entity['max'] ?? NULL : 1);
+          $this->loadEntity($entity, $ids);
+        }
+        elseif (!empty($entity['autofill'])) {
+          $this->autofillEntity($entity, $entity['autofill']);
+        }
       }
     }
   }
 
+  /**
+   * Fetch all data needed to display a given entity on this form
+   *
+   * @param array $entity
+   * @param array $ids
+   */
+  private function loadEntity(array $entity, array $ids) {
+    $api4 = $this->_formDataModel->getSecureApi4($entity['name']);
+    $result = $api4($entity['type'], 'get', [
+      'where' => [['id', 'IN', $ids]],
+      'select' => array_keys($entity['fields']),
+    ])->indexBy('id');
+    foreach ($ids as $index => $id) {
+      $this->_entityIds[$entity['name']][$index] = [
+        'id' => isset($result[$id]) ? $id : NULL,
+        'joins' => [],
+      ];
+      if (isset($result[$id])) {
+        $data = ['fields' => $result[$id]];
+        foreach ($entity['joins'] ?? [] as $joinEntity => $join) {
+          $data['joins'][$joinEntity] = (array) $api4($joinEntity, 'get', [
+            'where' => self::getJoinWhereClause($entity['type'], $joinEntity, $id),
+            'limit' => !empty($join['af-repeat']) ? $join['max'] ?? 0 : 1,
+            'select' => array_keys($join['fields']),
+            'orderBy' => self::getEntityField($joinEntity, 'is_primary') ? ['is_primary' => 'DESC'] : [],
+          ]);
+          $this->_entityIds[$entity['name']][$index]['joins'][$joinEntity] = array_column($data['joins'][$joinEntity], 'id');
+        }
+        $this->_entityValues[$entity['name']][$index] = $data;
+      }
+    }
+  }
+
+  /**
+   * Fetch an entity based on its autofill settings
+   *
+   * @param $entity
+   * @param $mode
+   */
+  private function autoFillEntity($entity, $mode) {
+    $id = NULL;
+    if ($entity['type'] == 'Contact') {
+      if ($mode == 'user') {
+        $id = \CRM_Core_Session::getLoggedInContactID();
+      }
+    }
+    if ($id) {
+      $this->loadEntity($entity, [$id]);
+    }
+  }
+
   /**
    * @return array
    */
diff --git a/ext/afform/core/Civi/Api4/Action/Afform/Prefill.php b/ext/afform/core/Civi/Api4/Action/Afform/Prefill.php
index 8fb0c8ed8e..a7d1257f6f 100644
--- a/ext/afform/core/Civi/Api4/Action/Afform/Prefill.php
+++ b/ext/afform/core/Civi/Api4/Action/Afform/Prefill.php
@@ -8,70 +8,8 @@ namespace Civi\Api4\Action\Afform;
  */
 class Prefill extends AbstractProcessor {
 
-  protected $_data = [];
-
   protected function processForm() {
-    foreach ($this->_formDataModel->getEntities() as $entityName => $entity) {
-      // Load entities from args
-      if (!empty($this->args[$entityName])) {
-        $this->loadEntity($entity, $this->args[$entityName]);
-      }
-      // Load entities from autofill settings
-      elseif (!empty($entity['autofill'])) {
-        $this->autofillEntity($entity, $entity['autofill']);
-      }
-    }
-    $data = [];
-    foreach ($this->_data as $name => $values) {
-      $data[] = ['name' => $name, 'values' => $values];
-    }
-    return $data;
-  }
-
-  /**
-   * Fetch all data needed to display a given entity on this form
-   *
-   * @param $entity
-   * @param $id
-   * @throws \API_Exception
-   */
-  private function loadEntity($entity, $id) {
-    $api4 = $this->_formDataModel->getSecureApi4($entity['name']);
-    $result = $api4($entity['type'], 'get', [
-      'where' => [['id', '=', $id]],
-      'select' => array_keys($entity['fields']),
-    ]);
-    foreach ($result as $item) {
-      $data = ['fields' => $item];
-      foreach ($entity['joins'] ?? [] as $joinEntity => $join) {
-        $data['joins'][$joinEntity] = (array) $api4($joinEntity, 'get', [
-          'where' => self::getJoinWhereClause($entity['type'], $joinEntity, $item['id']),
-          'limit' => !empty($join['af-repeat']) ? $join['max'] ?? 0 : 1,
-          'select' => array_keys($join['fields']),
-          'orderBy' => self::getEntityField($joinEntity, 'is_primary') ? ['is_primary' => 'DESC'] : [],
-        ]);
-      }
-      $this->_data[$entity['name']][] = $data;
-    }
-  }
-
-  /**
-   * Fetch an entity based on its autofill settings
-   *
-   * @param $entity
-   * @param $mode
-   * @throws \API_Exception
-   */
-  private function autoFillEntity($entity, $mode) {
-    $id = NULL;
-    if ($entity['type'] == 'Contact') {
-      if ($mode == 'user') {
-        $id = \CRM_Core_Session::getLoggedInContactID();
-      }
-    }
-    if ($id) {
-      $this->loadEntity($entity, $id);
-    }
+    return \CRM_Utils_Array::makeNonAssociative($this->_entityValues, 'name', 'values');
   }
 
 }
diff --git a/ext/afform/core/Civi/Api4/Action/Afform/Submit.php b/ext/afform/core/Civi/Api4/Action/Afform/Submit.php
index 45fdd8b5ed..6bdd6794be 100644
--- a/ext/afform/core/Civi/Api4/Action/Afform/Submit.php
+++ b/ext/afform/core/Civi/Api4/Action/Afform/Submit.php
@@ -19,27 +19,15 @@ class Submit extends AbstractProcessor {
    */
   protected $values;
 
-  /**
-   * Ids of each saved entity.
-   *
-   * Each key in the array corresponds to the name of an entity,
-   * and the value is an array of ids
-   * (because of `<af-repeat>` all entities are treated as if they may be multi)
-   * E.g. $entityIds['Individual1'] = [1];
-   *
-   * @var array
-   */
-  private $entityIds = [];
-
   protected function processForm() {
     $entityValues = [];
     foreach ($this->_formDataModel->getEntities() as $entityName => $entity) {
-      $this->entityIds[$entityName] = [];
       $entityValues[$entityName] = [];
 
       // Gather submitted field values from $values['fields'] and sub-entities from $values['joins']
       foreach ($this->values[$entityName] ?? [] as $values) {
-        $values['fields'] = $values['fields'] ?? [];
+        // Only accept values from fields on the form
+        $values['fields'] = array_intersect_key($values['fields'] ?? [], $entity['fields']);
         $entityValues[$entityName][] = $values;
       }
       // Predetermined values override submitted values
@@ -53,7 +41,8 @@ class Submit extends AbstractProcessor {
     foreach ($entityWeights as $entityName) {
       $entityType = $this->_formDataModel->getEntity($entityName)['type'];
       $records = $this->replaceReferences($entityName, $entityValues[$entityName]);
-      $event = new AfformSubmitEvent($this->_afform, $this->_formDataModel, $this, $records, $entityType, $entityName, $this->entityIds);
+      $this->fillIdFields($records, $entityName);
+      $event = new AfformSubmitEvent($this->_afform, $this->_formDataModel, $this, $records, $entityType, $entityName, $this->_entityIds);
       \Civi::dispatcher()->dispatch(self::EVENT_NAME, $event);
     }
 
@@ -67,7 +56,7 @@ class Submit extends AbstractProcessor {
    * @param $records
    */
   private function replaceReferences($entityName, $records) {
-    $entityNames = array_diff(array_keys($this->entityIds), [$entityName]);
+    $entityNames = array_diff(array_keys($this->_entityIds), [$entityName]);
     $entityType = $this->_formDataModel->getEntity($entityName)['type'];
     foreach ($records as $key => $record) {
       foreach ($record['fields'] as $field => $value) {
@@ -75,12 +64,12 @@ class Submit extends AbstractProcessor {
           if (is_array($value)) {
             foreach ($value as $i => $val) {
               if (in_array($val, $entityNames, TRUE)) {
-                $records[$key]['fields'][$field][$i] = $this->entityIds[$val][0];
+                $records[$key]['fields'][$field][$i] = $this->_entityIds[$val][0]['id'] ?? NULL;
               }
             }
           }
           else {
-            $records[$key]['fields'][$field] = $this->entityIds[$value][0];
+            $records[$key]['fields'][$field] = $this->_entityIds[$value][0]['id'] ?? NULL;
           }
         }
       }
@@ -96,9 +85,15 @@ class Submit extends AbstractProcessor {
   public static function processGenericEntity(AfformSubmitEvent $event) {
     $api4 = $event->getSecureApi4();
     foreach ($event->records as $index => $record) {
-      $saved = $api4($event->getEntityType(), 'save', ['records' => [$record['fields']]])->first();
-      $event->setEntityId($index, $saved['id']);
-      self::saveJoins($event->getEntityType(), $saved['id'], $record['joins'] ?? []);
+      try {
+        $saved = $api4($event->getEntityType(), 'save', ['records' => [$record['fields']]])->first();
+        $event->setEntityId($index, $saved['id']);
+        self::saveJoins($event->getEntityType(), $saved['id'], $record['joins'] ?? []);
+      }
+      catch (\API_Exception $e) {
+        // What to do here? Sometimes we should silently ignore errors, e.g. an optional entity
+        // intentionally left blank. Other times it's a real error the user should know about.
+      }
     }
   }
 
@@ -186,4 +181,16 @@ class Submit extends AbstractProcessor {
     return $this;
   }
 
+  /**
+   * @param array $records
+   * @param string $entityName
+   */
+  private function fillIdFields(array &$records, string $entityName): void {
+    foreach ($records as $index => &$record) {
+      if (empty($record['fields']['id']) && !empty($this->_entityIds[$entityName][$index]['id'])) {
+        $record['fields']['id'] = $this->_entityIds[$entityName][$index]['id'];
+      }
+    }
+  }
+
 }
diff --git a/ext/afform/mock/ang/mockPublicForm.test.php b/ext/afform/mock/ang/mockPublicForm.test.php
index 70feb1f6a2..3699eadfcb 100644
--- a/ext/afform/mock/ang/mockPublicForm.test.php
+++ b/ext/afform/mock/ang/mockPublicForm.test.php
@@ -51,16 +51,15 @@ class MockPublicFormTest extends \Civi\AfformMock\FormTestCase {
     $me[0]['fields']['first_name'] = 'Firsty' . $r;
     $me[0]['fields']['last_name'] = 'Lasty' . $r;
 
-    $this->submitError(['args' => [], 'values' => ['me' => $me]]);
-    $this->assertContentType('application/json')->assertStatusCode(403);
+    $this->submit(['args' => [], 'values' => ['me' => $me]]);
 
-    // Contact hasn't changed
+    // Original contact hasn't changed
     $get = Civi\Api4\Contact::get(FALSE)->addWhere('id', '=', $contact['id'])->execute()->single();
     $this->assertEquals('FirstBegin', $get['first_name']);
     $this->assertEquals('LastBegin', $get['last_name']);
 
-    // No other contacts were created or edited with the requested value.
-    $this->assertEquals(0, CRM_Core_DAO::singleValueQuery('SELECT count(*) FROM civicrm_contact WHERE first_name=%1', [1 => ["Firsty{$r}", 'String']]));
+    // Instead of updating original, a new contact was created.
+    $this->assertEquals(1, CRM_Core_DAO::singleValueQuery('SELECT count(*) FROM civicrm_contact WHERE first_name=%1', [1 => ["Firsty{$r}", 'String']]));
   }
 
   /**
diff --git a/ext/afform/mock/tests/phpunit/api/v4/AfformUsageTest.php b/ext/afform/mock/tests/phpunit/api/v4/AfformUsageTest.php
index 220a0fe9b6..953242e119 100644
--- a/ext/afform/mock/tests/phpunit/api/v4/AfformUsageTest.php
+++ b/ext/afform/mock/tests/phpunit/api/v4/AfformUsageTest.php
@@ -36,6 +36,31 @@ EOHTML;
     <af-field name="subject" />
   </fieldset>
 </af-form>
+EOHTML;
+    self::$layouts['employer'] = <<<EOHTML
+<af-form ctrl="afform">
+  <af-entity data="{contact_type: 'Individual'}" url-autofill="1" type="Contact" name="Individual1" label="Individual 1" actions="{create: true, update: true}" security="RBAC" autofill="user" />
+  <af-entity data="{contact_type: 'Organization'}" type="Contact" name="Organization1" label="Organization 1" actions="{create: true, update: true}" security="RBAC" />
+  <fieldset af-fieldset="Individual1">
+    <legend class="af-text">Individual 1</legend>
+    <div class="af-container">
+      <div class="af-container af-layout-inline">
+        <af-field name="first_name" />
+        <af-field name="middle_name" />
+        <af-field name="last_name" />
+        <div class="af-container"></div>
+      </div>
+    </div>
+    <af-field name="employer_id" defn="{input_type: 'Select', input_attrs: {}}" />
+  </fieldset>
+  <fieldset af-fieldset="Organization1">
+    <legend class="af-text">Organization 1</legend>
+    <div class="af-container">
+      <af-field name="organization_name" />
+    </div>
+  </fieldset>
+  <button class="af-button btn-primary" crm-icon="fa-check" ng-click="afform.submit()">Submit</button>
+</af-form>
 EOHTML;
   }
 
@@ -70,13 +95,13 @@ EOHTML;
     $this->assertEquals('Logged In', $prefill['me']['values'][0]['fields']['first_name']);
     $this->assertRegExp('/^User/', $prefill['me']['values'][0]['fields']['last_name']);
 
-    $me = $prefill['me']['values'];
-    $me[0]['fields']['first_name'] = 'Firsty';
-    $me[0]['fields']['last_name'] = 'Lasty';
+    $submission = [
+      ['fields' => ['first_name' => 'Firsty', 'last_name' => 'Lasty']],
+    ];
 
     Civi\Api4\Afform::submit()
       ->setName($this->formName)
-      ->setValues(['me' => $me])
+      ->setValues(['me' => $submission])
       ->execute();
 
     $contact = Civi\Api4\Contact::get(FALSE)->addWhere('id', '=', $cid)->execute()->first();
@@ -90,7 +115,6 @@ EOHTML;
       'permission' => CRM_Core_Permission::ALWAYS_ALLOW_PERMISSION,
     ]);
 
-    CRM_Core_Config::singleton()->userPermissionTemp = new CRM_Core_Permission_Temp();
     $firstName = uniqid(__FUNCTION__);
 
     $values = [
@@ -99,7 +123,10 @@ EOHTML;
           'fields' => [
             'first_name' => $firstName,
             'last_name' => 'site',
-            'source' => 'test source',
+            // Not allowed to be updated because it's set in 'data'
+            'source' => 'This field is set in the data array',
+            // Not allowed to be updated because it's not a field on the form
+            'formal_title' => 'Danger this field is not on the form',
           ],
         ],
       ],
@@ -162,6 +189,47 @@ EOHTML;
     }
   }
 
+  public function testEmployerReference(): void {
+    $this->useValues([
+      'layout' => self::$layouts['employer'],
+      'permission' => CRM_Core_Permission::ALWAYS_ALLOW_PERMISSION,
+    ]);
+
+    $firstName = uniqid(__FUNCTION__);
+    $orgName = uniqid(__FUNCTION__);
+
+    $values = [
+      'Individual1' => [
+        [
+          'fields' => [
+            'first_name' => $firstName,
+            'last_name' => 'employee',
+            // Selecting the Org entity as employer of the Individual
+            'employer_id' => 'Organization1',
+          ],
+        ],
+      ],
+      'Organization1' => [
+        [
+          'fields' => [
+            'organization_name' => $orgName,
+          ],
+        ],
+      ],
+    ];
+    Civi\Api4\Afform::submit()
+      ->setName($this->formName)
+      ->setValues($values)
+      ->execute();
+    $contact = \Civi\Api4\Contact::get()
+      ->addWhere('first_name', '=', $firstName)
+      ->addWhere('last_name', '=', 'employee')
+      ->addJoin('Contact AS org', 'LEFT', ['employer_id', '=', 'org.id'])
+      ->addSelect('org.organization_name')
+      ->execute()->first();
+    $this->assertEquals($orgName, $contact['org.organization_name']);
+  }
+
   protected function useValues($values) {
     $defaults = [
       'title' => 'My form',
-- 
2.25.1