Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
If a user has the permission to edita Webform submission but not to view encrypted values all encrypted values within a submission are overwritten with '[Value Encrypted]' regardless of whether they were changed or not (if the user were to edit any value within submission).
Marking as criticaldue to data loss.
Comment | File | Size | Author |
---|---|---|---|
#30 | 2925622-30.patch | 5.27 KB | Manuel Garcia |
| |||
#30 | interdiff-2925622-28-30.txt | 837 bytes | Manuel Garcia |
#28 | 2925622-28.patch | 5.27 KB | Manuel Garcia |
| |||
#28 | interdiff-2925622-20-28.txt | 1.48 KB | Manuel Garcia |
#20 | 2925622-20.patch | 5.32 KB | Manuel Garcia |
|
Comments
Comment #2
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedThank you very much for the report, we will need to fix this before the first alpha release.
Comment #3
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedHere's a test verifying the bug.
Comment #5
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedI've tried implementing
hook_webform_element_alter()
to disable the encrypted fields if the user doesn't have the'view encrypted values'
permission, but the values are still being saved for those fields, so that's not going to work.I've also tried tackling this on
webform_encrypt_entity_presave()
, we can check there if the value to be saved is[Value Encrypted]
but we can't save only the other values as far as I know.We could consider removing access to editing webform submissions where any field is encrypted if the user doesn't have the
'view encrypted values'
permission.Any other ideas?
Comment #6
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedBumping down the priority, since there is a work around for this (giving the permission to view encrypted values).
I am also going to mark this as by design for now, since if you are going to allow your users to edit submissions, it can be assumed they are going to need to view encrypted values.
If someone comes up with a viable way to prevent this situation, feel free to reopen.
Comment #7
Rob Holmes CreditAttribution: Rob Holmes commentedRe-opening to pose the question that if a user who can edit a submission should inherently be able to view encrpyted values should we just add that permission check to the storage controller? This would prevent any possibility of missing the permission and allwoingdata to be corrupted. e.g.
if ($check_permissions && !\Drupal::currentUser()->hasPermission('view encrypted values') && !\Drupal::currentUser()->hasPermission('edit any webform submission')) {
Would probably have to go further and check to see if the user owns the submission and then check for "edit own webform submission" as well.
Comment #8
Rob Holmes CreditAttribution: Rob Holmes commentedUntested but conceptual....
Would involve passing $webform_submission around the place.... Also noticed that $check_permissions flagis never actually used, do we still need this?
Comment #9
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedIf you give a user the permission to edit webform submissions, they should be able to see the values in them, other wise there isn't really a point in being able to edit webform submissions.
So +1 from me, #8 makes a lot of sense.
If we do this we should also make it very clear in the documentation & project page that this is how the module works so as to avoid misunderstandings.
Comment #10
Rob Holmes CreditAttribution: Rob Holmes commentedHere is a quick attempt at a patch, probably wont apply as its based on the nested fields patch in #2924957: Unable to encrypt nested/multiple nested fields leaving here to retest if/when the other issue gets committed.
Proposed text: "This module provides the 'view encrypted values' permission which will prevent encrpyted values from being viewed on a per role basis. Please note however that if a user has the 'edit own webform submission' or 'edit any webform submission' permissions they will also be able to view the encrypted values."
Comment #11
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedThanks @Rob Holmes!
Let's wait until #2924957: Unable to encrypt nested/multiple nested fields gets in before continuing work here. Hopefully it will be committed soon.
Comment #12
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commented#2924957: Unable to encrypt nested/multiple nested fields just got in :)
Comment #13
Rob Holmes CreditAttribution: Rob Holmes commentedQueued for retest.
Comment #14
Rob Holmes CreditAttribution: Rob Holmes commentedComment #15
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedThe changes to
WebformEncryptSubmissionStorage::decrypt()
on #10 would affect not only when a user editing a submission, but also when a user views a submission. So this means we would be checking unrelated permissions in this case like'edit any webform submission'
.In other words, this approach is not going to work I'm afraid. This also highlights the need for more test coverage regarding users with different permissions (we should have tests that would've picked this up).
The only option I see here is denying the user access to update webform submissions that are encrypted unless they have the
'view encrypted values'
permission, so as to prevent data loss at least. We could accomplish this via swapping in a new access handler, so here is a patch taking that approach, though completely untested as I've run out of time.Comment #17
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedOops
Comment #18
Rob Holmes CreditAttribution: Rob Holmes commentedThanks @Manuel, that makes sense to me, ill try to test later today.
Comment #19
gambryManually tested and only users able to both edit submissions and view encrypted values can access the edit submission page.
The only feedback is:
isset($config[$element_name])
should be prepended to the condition, otherwise a notice is raised if element is not encrypted.Also tests on #3 are still valid, the only change is user without 'view encrypted values' permission shouldn't be able to access the page:
Final thought: do we need to test users with only 'view encrypted values' (and not 'edit any/own submission') are forbidden? Just to avoid in principle any future regression.
Comment #20
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedThanks @gambry for the review, all good points.
Addressing #19 here.
Comment #23
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedI'm not sure what's going on with the dates here.
Comment #24
gambryAt least head is failing too. I didn't have a chance to check it myself. Will give it a go later today, in the meanwhile I remember @thecraighammond on #2925621: Encryption of pre-existing data #19 added the property 'format' => short to the date. That should fix it.
Comment #25
gambry#2936159: Hardcoded value for the date field in WebformEncryptFunctionalTest got in, let's give #20 another run.
Comment #27
gambrynitpick, these should be
===
.Also there is a coding standard error, but I can't find out what that is. I suspect is the unused $page variable on WebformEncryptEditSumissionsTest
$page = $this->getSession()->getPage();
.Setting RTBC as both are small issues and can be fixed on commit. Nice one!
Comment #28
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedFixing nitpicks =)
Comment #29
gambryThen this needs indentical operator too.
Comment #30
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedFair enough :)
Comment #31
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedAdding attribution to @gambry for reviews.
Comment #32
gambryAll looks good!
Thanks a lot!
Comment #34
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commented