FormBuilder "magic" links should log in the user so that User-based Entity security behaves as expected
Overview
When sending a link to a Form Builder form to a user by token (e.g. {afform.afformSubmissionLink}), the generated URL provides information that allows the form to auto-populate. It should also log in the specific contact who received the link similarly to the behaviour of the contact_id and checksum tokens when used together.
Reproduction steps
- create a new basic submission form
- set 'Expose to:' to include 'Message Tokens'
- set 'Individual 1' Security to 'User-based'
- set 'Autofill' to 'current user'
- Go to a contact summary page and merge document to use the exposed token.
- Follow the link in the merged document
Current behaviour
Sometimes the form will throw an error, other times if the overall display permissions are open enough, the form will display and auto-populate, but any changes to the Individual 1 contact record will fail.
Expected behaviour
CiviCRM should recognize the user as a logged-in contact because we have sent them a 'magic' link.
Environment information
https://wpmaster.demo.civicrm.org test environment via firefox 123