CRM

Search CRM for solutions or ask a question
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
RMazzoldi

‎May 19, 2025 9:38 PM - edited ‎May 19, 2025 9:41 PM

Member

Trying to allow contact updating of details

SOLVE

Not sure if this is the correct board, but will ask here.

 

I am trying to setup up the following process:

  1. Visitor completes an embeded form with their email requesting an update to their details (working)
  2. A workflow checks if they are an exisiting contact (working)
  3. Visitor is sent an email with a link to either a "sign up" form page or an "update details" form page hosted on hubspot depending on the result of 2 (working)
  4. The personalized email prepopulates the form page with CRM data (Not working)

Questions:

  • The "Pre-populate form fields for returning visitors" setting appears to just take browser cache and so is somewhat useless for my case - I Do not want to take cache, I want data from the CRM for the submitted email. How to I get this to occur?
  • Submission that don't update the DB still provide a successful response to the user. How to I stop this? If the update failed it should tell the user to contact someone for support
  • How do I ensure secure access to the update/signup form? I don't want someone updating someone else's account by - for example - allowing them to enter whatever email they like into the update form (I have tested this and at the moment it does allow arbitary writes to other contacts. Where can I control this?

 

 

Contacts Forms Marketing Email
0 Upvotes
1 Accepted solution
karstenkoehler
Solution
Hall of Famer | Partner

‎May 20, 2025 12:09 AM

Hall of Famer | Partner

Trying to allow contact updating of details

SOLVE

Hi @RMazzoldi,

 

The short answere here is that HubSpot simply does not offer that functionality, at least not to the point where it's meeting your requirements. Web-forms are a one-way tool. They can't look up or verify information in the CRM. (If that was possible, it would be a surface for attackers.)

 

For a true functionality that allows contacts to both check their information and change it, a log-in area, allowing contacts to manage their account would be needed.

 

That being said, let me address some of your individual points:

 

@RMazzoldi wrote:
The personalized email prepopulates the form page with CRM data (Not working)

This is working, I've explained this before, for example here: https://community.hubspot.com/t5/Tips-Tricks-Best-Practices/pre-filled-forms/m-p/815417/highlight/tr...

 

@RMazzoldi wrote:
The "Pre-populate form fields for returning visitors" setting appears to just take browser cache and so is somewhat useless for my case - I Do not want to take cache, I want data from the CRM for the submitted email. How to I get this to occur?

See above – however, as mentioned, you cannot have the form look up information in the CRM, that would be a data security nightmare. You can only pass information through the email into the browser via parameters. (Keep in mind that forwarding the email means that the recipient now has all of this information.)

 

@RMazzoldi wrote:
Submission that don't update the DB still provide a successful response to the user. How to I stop this? If the update failed it should tell the user to contact someone for support

Because of the one-way-logic I described, this is expected behavior and cannot be changed. The form does not know whether it's submitting new or existing information. The confirmation is shown because technically, it is working. Anything else would require custom development.

 

@RMazzoldi wrote:
How do I ensure secure access to the update/signup form? I don't want someone updating someone else's account by - for example - allowing them to enter whatever email they like into the update form (I have tested this and at the moment it does allow arbitary writes to other contacts. Where can I control this?

Unfortunately, this is again a limitation in HubSpot. It's not possible to prevent someone from just sending form submissions for a list of email addresses and thus updating contact records in your system.

 

Other users have requested this before: https://community.hubspot.com/t5/HubSpot-Ideas/Being-able-to-disable-automatic-field-updating-from-o...

 

These requests submitted to the HubSpot Ideas section of the community are reviewed by the HubSpot product team, based on their popularity and the assumed demand. I'd recommend commenting and upvoting.

 

You can also help other HubSpot users find this request more easily (and drive traction) by accepting my reply as a solution. I'd appreciate it, too.

 

Have a great day!

Karsten Köhler
HubSpot Freelancer | RevOps & CRM Consultant | Community Hall of Famer

Beratungstermin mit Karsten vereinbaren

 

Did my post help answer your query? Help the community by marking it as a solution.

View solution in original post

0 Upvotes
4 Replies 4
karstenkoehler
Solution
Hall of Famer | Partner

‎May 20, 2025 12:09 AM

Hall of Famer | Partner

Trying to allow contact updating of details

SOLVE

Hi @RMazzoldi,

 

The short answere here is that HubSpot simply does not offer that functionality, at least not to the point where it's meeting your requirements. Web-forms are a one-way tool. They can't look up or verify information in the CRM. (If that was possible, it would be a surface for attackers.)

 

For a true functionality that allows contacts to both check their information and change it, a log-in area, allowing contacts to manage their account would be needed.

 

That being said, let me address some of your individual points:

 

@RMazzoldi wrote:
The personalized email prepopulates the form page with CRM data (Not working)

This is working, I've explained this before, for example here: https://community.hubspot.com/t5/Tips-Tricks-Best-Practices/pre-filled-forms/m-p/815417/highlight/tr...

 

@RMazzoldi wrote:
The "Pre-populate form fields for returning visitors" setting appears to just take browser cache and so is somewhat useless for my case - I Do not want to take cache, I want data from the CRM for the submitted email. How to I get this to occur?

See above – however, as mentioned, you cannot have the form look up information in the CRM, that would be a data security nightmare. You can only pass information through the email into the browser via parameters. (Keep in mind that forwarding the email means that the recipient now has all of this information.)

 

@RMazzoldi wrote:
Submission that don't update the DB still provide a successful response to the user. How to I stop this? If the update failed it should tell the user to contact someone for support

Because of the one-way-logic I described, this is expected behavior and cannot be changed. The form does not know whether it's submitting new or existing information. The confirmation is shown because technically, it is working. Anything else would require custom development.

 

@RMazzoldi wrote:
How do I ensure secure access to the update/signup form? I don't want someone updating someone else's account by - for example - allowing them to enter whatever email they like into the update form (I have tested this and at the moment it does allow arbitary writes to other contacts. Where can I control this?

Unfortunately, this is again a limitation in HubSpot. It's not possible to prevent someone from just sending form submissions for a list of email addresses and thus updating contact records in your system.

 

Other users have requested this before: https://community.hubspot.com/t5/HubSpot-Ideas/Being-able-to-disable-automatic-field-updating-from-o...

 

These requests submitted to the HubSpot Ideas section of the community are reviewed by the HubSpot product team, based on their popularity and the assumed demand. I'd recommend commenting and upvoting.

 

You can also help other HubSpot users find this request more easily (and drive traction) by accepting my reply as a solution. I'd appreciate it, too.

 

Have a great day!

Karsten Köhler
HubSpot Freelancer | RevOps & CRM Consultant | Community Hall of Famer

Beratungstermin mit Karsten vereinbaren

 

Did my post help answer your query? Help the community by marking it as a solution.

0 Upvotes
RMazzoldi

‎May 20, 2025 2:32 AM

Member

Trying to allow contact updating of details

SOLVE

Hi @karstenkoehler 

 

Thanks for getting back to me, it's been very helpfful. I do have some follow up questions from you response.

 

Web-forms are a one-way tool. They can't look up or verify information in the CRM. (If that was possible, it would be a surface for attackers.)

 

Sure. Though I feel the current situation is not much more secure. Hubspot allowing arbitrary updates to the DB from forms. I was able to edit fields of other contacts - including related entities like companies they worked for - at will. No checks, no authentication. This seems kind of wild to me. There didn't even seem to be limitations on form re-submition. An attacker could destroy an entire DB with a script and some knowledge of the email domains in the system. 

 

Forms are generally being created by users with limited Security knowledge. Surely the defaults should be to not allow any updating via webforms of any kind, and possibly restrict it all together? Currently any form that is allowed to update the DB I have to assume is an attack surface. I'd have to recommend to my emplyoer to not allow almost any forms. They just seem like too big a risk. 

 

If all the forms are one way, may I ask how the "manage subscriptions" page is able to work?

 

Maybe this is better in the reqest area, but I would have thought a one-time token in an email to a temporary login/authenticated area with limited permissions was best-practice for such a use case? 

 

 

0 Upvotes
karstenkoehler
Hall of Famer | Partner

‎May 20, 2025 2:35 AM

Hall of Famer | Partner

Trying to allow contact updating of details

SOLVE

@RMazzoldi I'm not going to argue on behalf of HubSpot, I'm a user/customer like you 😉 I agree with you when you're saying that it's not very secure if forms, one-way, update existing record. That's why I linked the existing request to the product team.

 

If you want to request HubSpot to implement more features, the best place would be the HubSpot Ideas section of the community. For now, we have the tools and behavior I described in my previous answer.

 

Hope this helps!

Karsten Köhler
HubSpot Freelancer | RevOps & CRM Consultant | Community Hall of Famer

Beratungstermin mit Karsten vereinbaren

 

Did my post help answer your query? Help the community by marking it as a solution.

0 Upvotes
BérangèreL
Community Manager

‎May 20, 2025 11:03 AM

Community Manager

Trying to allow contact updating of details

SOLVE

Hi @RMazzoldi and welcome, it's such a pleasure to have you here!

Thanks for asking the HubSpot Community and thanks so much @karstenkoehler for your help! ❤️

I'd like to thank you for sharing your valuable feedback! This means a lot to us.

For information, I have shared it internally to bring more visibility to it.

Have a great day!

Best,
Bérangère


HubSpot’s AI-powered customer agent resolves up to 50% of customer queries instantly, with some customers reaching up to 90% resolution rates.
Learn More.


Saviez vous que la Communauté est disponible en français?
Rejoignez les discussions francophones en changeant votre langue dans les paramètres! !
0 Upvotes

Sign up for the Community Newsletter

Receive Community updates and events in your inbox every Monday morning.
Trying to allow contact updating of details
...ool. They can't look up or verify information in the CRM. (If that was possible, it would be a surface for attackers.)   For a true functionality that allows contacts to both check their i...
...ool. They can't look up or verify information in the CRM. (If that was possible, it would be a surface for attackers.)   For a true functionality that allows contacts to both check their i...
Sales
May 20, 2025