Hi, All:

Refer to the instruction in Showing Process Instance (List Record) Data in a Form.

I found user just need to change the id number in the url, then he can see all the content of the forms that was submited by other people.

For example :

http://localhost:8080/jw/web/userview/leaveApp/userview//applicationForm?id=21162_leaveApp_applyLeaveProcess

http://localhost:8080/jw/web/userview/leaveApp/userview//applicationForm?id=21163_leaveApp_applyLeaveProcess

http://localhost:8080/jw/web/userview/leaveApp/userview//applicationForm?id=21164_leaveApp_applyLeaveProcess

How can I prevent this ? 

Appreciate your kindly help.

Best Regards
Jonathan Yang