0

I have developed an application, which has got an approval flow. The application approval / reject is working fine and I have been tasked with developing a solution for approval through emails, instead of the users log in on to the application, which anyway uses domain credentials. The application is hosted locally, allowed locally only, and is not published onto any public IPs. This requirement of mail approvals are for Management approvals, who are on the move most of the time and will not be agreeing to go for a VPN Access of the said application.

So far I developed a solution which sends an eMail to the approval authority with 2 URLs (one for approve and other for reject). When the recipient of the mail clicks on the relevant link the action is updated in the database. Until here everything was tested and working fine.

Now in case the mail is forwarded by the authorized approver to a different email ID, they secondary recipient also will be able to click on the relevant links and get the database updated which is not the intended functionality since the secondary recipient is not an authorized approver.

Any suggestions on how to control this are desired.

Edit 1

To the 2 URLs I am sending in mail, I am adding a query string, which is a unique identifier associated with the approval authority ID.

However, if the same mail is forwarded to a secondary recipient, I am not sure on how to validate the eMail ID from which the click originated.

Edit 2

I have tried the suggestions (given in the comments below ). I have generated the mail with Request ID in the subject of the mail and requested the users to reply to that mail with only one word in body either Approve / Reject. I have ensured that the application shall process it in a case insensitive way. However, there were so many typos for one word that I could not imagine the number of combinations I had to cope up with.

I have also tried, having the Request ID in the subject of the mail, and requested the users to reply to that mail by appending either : A for approve or : R for reject (case insensitive). But this again resulted in numerous typos.

Kumar C
  • 100
  • 2
  • 13
  • In your approval workflow you store who has the right to aprove and the unique ID of the approval workflow. When the approval link is hit, make sur the web it goes to that link has integrated security and check users credentials and look if are the ones that should approve it – Cleptus Mar 20 '20 at 08:07
  • @bradbury9 I did do this, but I am at loss on how to validate the email ID from which the click originated? – Kumar C Mar 20 '20 at 08:09
  • Does those URL's contains credential(name/ID, not password) of person who should approve/reject ? – Kuba Do Mar 20 '20 at 08:22
  • @KubaDo they dont contain the ID, instead the contain an unique ID auto generated by the application which internally are linked to the approver ID. – Kumar C Mar 20 '20 at 08:41
  • Consider different approach. To validate it on email inbox. In topic You will have that request ID for approval/reject. Inside body You will have only 1 of those 2 words [Approval/Reject]. By that, You will be able to get information who have approved by email sender. When this email will be send to inbox, insert to database, and validate by email adress if that user can approve or not – Kuba Do Mar 20 '20 at 08:54
  • Another idea, add buttons with macros inside email, therefore You will be able to gather email information and build Your querry – Kuba Do Mar 20 '20 at 09:21
  • @KubaDo I am not sure on what should the buttons do when embedded inside the mail. What macro should be built to render the email ID of the click originator. – Kumar C Mar 20 '20 at 09:41
  • @KubaDo, w.r.t having the request ID in the subject and having 2 words Approve / Reject inside the body, I have tried this and it lead to typos. In case of approval, the reject word needs to be removed and this most of the times lead to deleting more letters than required. Also in some cases the body was completely over written and hence i could not decipher the mail itself. – Kumar C Mar 20 '20 at 09:44
  • In regards to button, its VBA, considering email as object it should be not a problem to obtain that information after click [There is similar SO post please check](https://stackoverflow.com/questions/36037358/button-in-email-click-to-create-new-email-with-content) – Kuba Do Mar 20 '20 at 09:49
  • 1
    You dont need to validate email sender, there is no risk on email forwarding if the web that has the approval/rejection logic checks the windows login of the http request. IMHO this is a X-Y problem – Cleptus Mar 20 '20 at 09:58
  • Another point, as i used to work in this kind of requesting app, at application side Approver should choose another user who can approve in case hes not available – Kuba Do Mar 20 '20 at 09:59
  • @bradbury he need to know who have clicked link, and link is generated for that specific person. Its not XY problem – Kuba Do Mar 20 '20 at 10:00
  • the validation should be performed by the web application. If the message is forwarded and someone else clicks on the link, the application should look at the login details of the user to determine whether they have the right to do so or not. – Captain Kenpachi Mar 20 '20 at 10:06
  • @CaptainKenpachi When the links is clicked it either approves or rejects but should not ask for credentials again. In this scenario, how shall I know whether the click originated from the original recipient or secondary recipient? – Kumar C Mar 20 '20 at 10:09
  • 1
    If you want the person to click on a link, they will have to have access to the intranet application. And they will need to be logged in. That's just how that would work. If they can't access the application from outside the building, then the link won't work. Then you have to validate the email sender address and rely on replying to the email. Those are your only options. – Captain Kenpachi Mar 20 '20 at 10:17

1 Answers1

1

You have basically two options

  1. have your users reply to the email with Accept or Reject like you said. In this case, you will have to validate whether the email account in the FROM field has the right to do so.
  2. have your user click a link. In this case, you will HAVE to make the application validate the user based on his login credentials.

There is no other way to go about this. You either have to validate the email sender, or the person has to be logged in to the application. There is no other mechanism available in this scenario.

There might be different ways of implementing these two options, but those are the only options you have.

Captain Kenpachi
  • 6,960
  • 7
  • 47
  • 68
  • 1
    Using integrated security in the IIS and configured in the client machines the website as intranet zone, then the browser would provide the credentials without the need of a login form. If the browser provides no credentials, then a formal login should be done. – Cleptus Mar 20 '20 at 13:42
  • That's what I meant. Whether the user supplies the credentials, or whether he's already logged in via the integrated security, the app should use that data to determine who he is and whether or not he is allowed to perform that action. It shouldn't be the job of a URL parameter to tell you who the user is. Because that's a security issue. – Captain Kenpachi Mar 20 '20 at 13:50