diff --git a/components/hidden.inc b/components/hidden.inc index faf1379..e173c29 100644 --- a/components/hidden.inc +++ b/components/hidden.inc @@ -111,15 +111,6 @@ function _webform_display_hidden($component, $value, $format = 'html') { '#translatable' => array('title'), ); - // TODO: This check is unusual. It shows hidden fields in e-mails but not - // when viewing in the browser unless you're an administrator. This should be - // a more logical check. See these related issues: - // http://drupal.org/node/313639 - // http://drupal.org/node/781786 - if ($format == 'html') { - $element['#access'] = user_access('edit all webform submissions') || user_access('access all webform results'); - } - return $element; } diff --git a/webform.module b/webform.module index d4dd99d..050f949 100644 --- a/webform.module +++ b/webform.module @@ -999,6 +999,32 @@ function webform_webform_submission_update($node, $submission) { } /** + * Implements hook_webform_submission_render_alter(). + */ +function webform_webform_submission_render_alter(&$renderable) { + // If displaying a submission to end-users who are viewing their own + // submissions (and not through an e-mail), do not show hidden values. + // This needs to be implemented at the level of the entire submission, since + // individual components do not get contextual information about where they + // are being displayed. + $node = $renderable['#node']; + $is_admin = webform_results_access($node); + if (empty($renderable['#email']) && !$is_admin) { + // Find and hide the display of all hidden components. + foreach ($node->webform['components'] as $cid => $component) { + if ($component['type'] == 'hidden') { + $parents = webform_component_parent_keys($node, $component); + $element = &$renderable; + foreach ($parents as $pid) { + $element = &$element[$pid]; + } + $element['#access'] = FALSE; + } + } + } +} + +/** * Implements hook_file_download(). * * Only allow users with view webform submissions to download files.